healer | f6fc3d5332537df9f31ed5f91fda53a6cc2d08ca69958b4f9982f20398365c80

Analysis

max time kernel
31s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y6836522.exe
Size

863KB
MD5

b6892af7074185fcf0259e7c20f8616e
SHA1

f76448c4fb6bdd7427ce40ef0eec1937b4514734
SHA256

f6fc3d5332537df9f31ed5f91fda53a6cc2d08ca69958b4f9982f20398365c80
SHA512

a414e0e23a1c31501d9d73850aa5a04d0be0f488a3a76d6b3cbc72a8a554191422ddc3436d5b389224f9d78bf66cafc044ca53b480a4ac36038042f4a725d5df
SSDEEP

12288:gMr5y90alkBjdp9sU3ojZ8Gf5jb6eoYcD8eMxswF4IDAg1UZYyGlaqFF/xFEFHrZ:pyRkBjdnx3+jRP68tF49YsaTE/

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/1276-77-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3913104.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3913104.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k3913104.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3913104.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3913104.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3913104.exe

Executes dropped EXE 3 IoCs

pid	Process
2996	y8805359.exe
1276	k3913104.exe
2532	l1635494.exe

Loads dropped DLL 12 IoCs

pid	Process
2344	y6836522.exe
2996	y8805359.exe
2996	y8805359.exe
2996	y8805359.exe
1276	k3913104.exe
2996	y8805359.exe
2996	y8805359.exe
2532	l1635494.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k3913104.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3913104.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6836522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	y6836522.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8805359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8805359.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2528	2532	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1276	k3913104.exe
1276	k3913104.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	k3913104.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2996	2344	y6836522.exe	28
PID 2344 wrote to memory of 2996	2344	y6836522.exe	28
PID 2344 wrote to memory of 2996	2344	y6836522.exe	28
PID 2344 wrote to memory of 2996	2344	y6836522.exe	28
PID 2344 wrote to memory of 2996	2344	y6836522.exe	28
PID 2344 wrote to memory of 2996	2344	y6836522.exe	28
PID 2344 wrote to memory of 2996	2344	y6836522.exe	28
PID 2996 wrote to memory of 1276	2996	y8805359.exe	29
PID 2996 wrote to memory of 1276	2996	y8805359.exe	29
PID 2996 wrote to memory of 1276	2996	y8805359.exe	29
PID 2996 wrote to memory of 1276	2996	y8805359.exe	29
PID 2996 wrote to memory of 1276	2996	y8805359.exe	29
PID 2996 wrote to memory of 1276	2996	y8805359.exe	29
PID 2996 wrote to memory of 1276	2996	y8805359.exe	29
PID 2996 wrote to memory of 2532	2996	y8805359.exe	31
PID 2996 wrote to memory of 2532	2996	y8805359.exe	31
PID 2996 wrote to memory of 2532	2996	y8805359.exe	31
PID 2996 wrote to memory of 2532	2996	y8805359.exe	31
PID 2996 wrote to memory of 2532	2996	y8805359.exe	31
PID 2996 wrote to memory of 2532	2996	y8805359.exe	31
PID 2996 wrote to memory of 2532	2996	y8805359.exe	31
PID 2532 wrote to memory of 2528	2532	l1635494.exe	33
PID 2532 wrote to memory of 2528	2532	l1635494.exe	33
PID 2532 wrote to memory of 2528	2532	l1635494.exe	33
PID 2532 wrote to memory of 2528	2532	l1635494.exe	33
PID 2532 wrote to memory of 2528	2532	l1635494.exe	33
PID 2532 wrote to memory of 2528	2532	l1635494.exe	33
PID 2532 wrote to memory of 2528	2532	l1635494.exe	33

C:\Users\Admin\AppData\Local\Temp\y6836522.exe
"C:\Users\Admin\AppData\Local\Temp\y6836522.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8805359.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8805359.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3913104.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3913104.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 276
      4⤵
      Loads dropped DLL
      Program crash
      PID:2528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8805359.exe

Filesize
680KB

MD5
056943d59d1e91dddef3ce2e6c71d720

SHA1
06c83a316960184806ec191720887efa33eeb19f

SHA256
979da931d446ec6ee669695326f3000c87cf226802899331f68176655b10db87

SHA512
357cc03045de200a9459c3216255ba00491290b851f8fd9e05e751e9e5698539abc23186905800080a2ba4a9a54a40a85da38510fca85ac575ba016fab81d517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8805359.exe

Filesize
680KB

MD5
056943d59d1e91dddef3ce2e6c71d720

SHA1
06c83a316960184806ec191720887efa33eeb19f

SHA256
979da931d446ec6ee669695326f3000c87cf226802899331f68176655b10db87

SHA512
357cc03045de200a9459c3216255ba00491290b851f8fd9e05e751e9e5698539abc23186905800080a2ba4a9a54a40a85da38510fca85ac575ba016fab81d517

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3913104.exe

Filesize
530KB

MD5
242560722e7846feaf218cdfaadce3b8

SHA1
1e1a32c2285adaa01f35c418a50306ed4a3d755d

SHA256
6a6008a217e120313b7f482e6b53676df300e03fac9780d29d648fd0ef1e7d5e

SHA512
a67ce6bca8aa2adc664e6f1cbde285b47a3d702014f554bbf5238e4841efd27d99eb702c2edec0945960c8cabd3a1947033e06b6d8b92dc28acd42ebf7b718c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3913104.exe

Filesize
530KB

MD5
242560722e7846feaf218cdfaadce3b8

SHA1
1e1a32c2285adaa01f35c418a50306ed4a3d755d

SHA256
6a6008a217e120313b7f482e6b53676df300e03fac9780d29d648fd0ef1e7d5e

SHA512
a67ce6bca8aa2adc664e6f1cbde285b47a3d702014f554bbf5238e4841efd27d99eb702c2edec0945960c8cabd3a1947033e06b6d8b92dc28acd42ebf7b718c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3913104.exe

Filesize
530KB

MD5
242560722e7846feaf218cdfaadce3b8

SHA1
1e1a32c2285adaa01f35c418a50306ed4a3d755d

SHA256
6a6008a217e120313b7f482e6b53676df300e03fac9780d29d648fd0ef1e7d5e

SHA512
a67ce6bca8aa2adc664e6f1cbde285b47a3d702014f554bbf5238e4841efd27d99eb702c2edec0945960c8cabd3a1947033e06b6d8b92dc28acd42ebf7b718c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8805359.exe

Filesize
680KB

MD5
056943d59d1e91dddef3ce2e6c71d720

SHA1
06c83a316960184806ec191720887efa33eeb19f

SHA256
979da931d446ec6ee669695326f3000c87cf226802899331f68176655b10db87

SHA512
357cc03045de200a9459c3216255ba00491290b851f8fd9e05e751e9e5698539abc23186905800080a2ba4a9a54a40a85da38510fca85ac575ba016fab81d517

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8805359.exe

Filesize
680KB

MD5
056943d59d1e91dddef3ce2e6c71d720

SHA1
06c83a316960184806ec191720887efa33eeb19f

SHA256
979da931d446ec6ee669695326f3000c87cf226802899331f68176655b10db87

SHA512
357cc03045de200a9459c3216255ba00491290b851f8fd9e05e751e9e5698539abc23186905800080a2ba4a9a54a40a85da38510fca85ac575ba016fab81d517

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3913104.exe

Filesize
530KB

MD5
242560722e7846feaf218cdfaadce3b8

SHA1
1e1a32c2285adaa01f35c418a50306ed4a3d755d

SHA256
6a6008a217e120313b7f482e6b53676df300e03fac9780d29d648fd0ef1e7d5e

SHA512
a67ce6bca8aa2adc664e6f1cbde285b47a3d702014f554bbf5238e4841efd27d99eb702c2edec0945960c8cabd3a1947033e06b6d8b92dc28acd42ebf7b718c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3913104.exe

Filesize
530KB

MD5
242560722e7846feaf218cdfaadce3b8

SHA1
1e1a32c2285adaa01f35c418a50306ed4a3d755d

SHA256
6a6008a217e120313b7f482e6b53676df300e03fac9780d29d648fd0ef1e7d5e

SHA512
a67ce6bca8aa2adc664e6f1cbde285b47a3d702014f554bbf5238e4841efd27d99eb702c2edec0945960c8cabd3a1947033e06b6d8b92dc28acd42ebf7b718c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3913104.exe

Filesize
530KB

MD5
242560722e7846feaf218cdfaadce3b8

SHA1
1e1a32c2285adaa01f35c418a50306ed4a3d755d

SHA256
6a6008a217e120313b7f482e6b53676df300e03fac9780d29d648fd0ef1e7d5e

SHA512
a67ce6bca8aa2adc664e6f1cbde285b47a3d702014f554bbf5238e4841efd27d99eb702c2edec0945960c8cabd3a1947033e06b6d8b92dc28acd42ebf7b718c0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1635494.exe

Filesize
692KB

MD5
84de04ec82124de82c84b3a3315e0624

SHA1
70b4ecc883c09549219e6a4486cf73f46762b9ce

SHA256
97aff727dfe741c441e8c86e7b746a045ead7f66b2d28756d6837bde4b5f4ae3

SHA512
54e814074613aa66243aea9c0c581060bb80207cd6382005ab2007fad8d88700adc1986be5ca851023e66024f74b62566a4b3e9c7f96a685c7bb3031dd6386c3

Download Submit
memory/1276-77-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download