healer | b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296

Analysis

max time kernel
13s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
14/07/2023, 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296.exe
Size

1.5MB
MD5

ad5990ceb2f9e176f5bce809abb7d322
SHA1

7d78f0a6a235cac3e34035f9668bcf0e77bd9d79
SHA256

b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296
SHA512

04518bf2dc2b7896b4356b57d1fd29dbb163ebc959d643a4aac22996e771e65f3eb3c8765e851bd6ce435d7bf1bfa0273a2b243c3c29df415d1bb8d619ed4ea4
SSDEEP

49152:5RAKiSCEXDlvYM+yP1Ib8uY+4YSPSXpTrQp:vAbEKM3VPEqp

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral1/memory/1180-150-0x0000000000400000-0x000000000041B000-memory.dmp	healer
behavioral1/memory/1180-151-0x00000000001E0000-0x00000000001EA000-memory.dmp	healer
behavioral1/files/0x000600000001b04a-161.dat	healer
behavioral1/files/0x000600000001b04a-162.dat	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4468345.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4468345.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4468345.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4468345.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4468345.exe

Executes dropped EXE 5 IoCs

pid	Process
3224	v3571539.exe
2848	v2816021.exe
2896	v2609301.exe
1180	a4468345.exe
2764	b6309141.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4468345.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4468345.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3571539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3571539.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2816021.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2816021.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2609301.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2609301.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1180	a4468345.exe
1180	a4468345.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	a4468345.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3224	4896	b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296.exe	70
PID 4896 wrote to memory of 3224	4896	b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296.exe	70
PID 4896 wrote to memory of 3224	4896	b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296.exe	70
PID 3224 wrote to memory of 2848	3224	v3571539.exe	71
PID 3224 wrote to memory of 2848	3224	v3571539.exe	71
PID 3224 wrote to memory of 2848	3224	v3571539.exe	71
PID 2848 wrote to memory of 2896	2848	v2816021.exe	72
PID 2848 wrote to memory of 2896	2848	v2816021.exe	72
PID 2848 wrote to memory of 2896	2848	v2816021.exe	72
PID 2896 wrote to memory of 1180	2896	v2609301.exe	73
PID 2896 wrote to memory of 1180	2896	v2609301.exe	73
PID 2896 wrote to memory of 1180	2896	v2609301.exe	73
PID 2896 wrote to memory of 2764	2896	v2609301.exe	75
PID 2896 wrote to memory of 2764	2896	v2609301.exe	75

C:\Users\Admin\AppData\Local\Temp\b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296.exe
"C:\Users\Admin\AppData\Local\Temp\b6f47a3bfae2340cb43155de36a42fdf174c4a78c018a6d13951812247cf4296.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571539.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571539.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2816021.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2816021.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2609301.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2609301.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4468345.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4468345.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6309141.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6309141.exe
        5⤵
        Executes dropped EXE
        
        PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571539.exe

Filesize
1.4MB

MD5
c4f996dd2b3ba7ec8d65b8001a42b917

SHA1
50e6269fabf62124460e62577df140603d2fb489

SHA256
56b9818e79850f9016f92bf8151682ecd0105b3941dd7faf75bea15491ce01cf

SHA512
01153da7de5d2280f58bf162ceac276b22ef64224ef8ea2caadda94b554a7692a17fc4510559593fc787eb18f24b9ea05e65dd9c720f899fadeca11233619b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3571539.exe

Filesize
1.4MB

MD5
c4f996dd2b3ba7ec8d65b8001a42b917

SHA1
50e6269fabf62124460e62577df140603d2fb489

SHA256
56b9818e79850f9016f92bf8151682ecd0105b3941dd7faf75bea15491ce01cf

SHA512
01153da7de5d2280f58bf162ceac276b22ef64224ef8ea2caadda94b554a7692a17fc4510559593fc787eb18f24b9ea05e65dd9c720f899fadeca11233619b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2816021.exe

Filesize
1.3MB

MD5
89e5344c74708dff0682c114a94fef8b

SHA1
cd5bb28a35c31ecbe93fc6d5ae5d3e5e6ca1c724

SHA256
c6a7a4b0de035396a3dbf3031df015669d908ad56f5f13db09f1ae9697bc5cc9

SHA512
02116cc0897cb167653173864f8680e031a7d46194d41b888e49c7cbbe797e5d3a2012e714da0ce9396dfc61f2447e0c3bbd2716dc9e5e9097bacb8f3d9e9cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2816021.exe

Filesize
1.3MB

MD5
89e5344c74708dff0682c114a94fef8b

SHA1
cd5bb28a35c31ecbe93fc6d5ae5d3e5e6ca1c724

SHA256
c6a7a4b0de035396a3dbf3031df015669d908ad56f5f13db09f1ae9697bc5cc9

SHA512
02116cc0897cb167653173864f8680e031a7d46194d41b888e49c7cbbe797e5d3a2012e714da0ce9396dfc61f2447e0c3bbd2716dc9e5e9097bacb8f3d9e9cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2609301.exe

Filesize
639KB

MD5
b1e45b376e20f2ec209fd88d754e8c8e

SHA1
fbade317428c1e12456a0c7c461e34df288ccc59

SHA256
3e73a4a44f1fed67b5eac63ceb1405eaf2632d2e666cc906a7f8277694badce1

SHA512
5866ba588b98922e68e083c7ba7d6879747fa7e959f34c7c43fffbcd56418c802e0a03906326faf662d34ab0345fa68e6586fee80fad53004841e72ded2cce93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2609301.exe

Filesize
639KB

MD5
b1e45b376e20f2ec209fd88d754e8c8e

SHA1
fbade317428c1e12456a0c7c461e34df288ccc59

SHA256
3e73a4a44f1fed67b5eac63ceb1405eaf2632d2e666cc906a7f8277694badce1

SHA512
5866ba588b98922e68e083c7ba7d6879747fa7e959f34c7c43fffbcd56418c802e0a03906326faf662d34ab0345fa68e6586fee80fad53004841e72ded2cce93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4468345.exe

Filesize
568KB

MD5
e2ac76cfcad408f4d65286105581eb02

SHA1
f1f49c97ed1aea8f9a091ed504f6dbdf282bd054

SHA256
59cd6fe9b581d10001af90bdf304aa4492fe529f2c47c14c5e2791319d5e2633

SHA512
c7f10adf8ee6a012a5319ba6d3b1f4d31a0202bf011c9a54ec97e01d4f1a5788dc9f8d80effa91faeaa2631be69b07828a6f9573cb53aa169713b4aca89a0234

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4468345.exe

Filesize
568KB

MD5
e2ac76cfcad408f4d65286105581eb02

SHA1
f1f49c97ed1aea8f9a091ed504f6dbdf282bd054

SHA256
59cd6fe9b581d10001af90bdf304aa4492fe529f2c47c14c5e2791319d5e2633

SHA512
c7f10adf8ee6a012a5319ba6d3b1f4d31a0202bf011c9a54ec97e01d4f1a5788dc9f8d80effa91faeaa2631be69b07828a6f9573cb53aa169713b4aca89a0234

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6309141.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6309141.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/1180-150-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1180-151-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/1180-155-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/1180-156-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/1180-159-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download