healer | d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843

Analysis

max time kernel
126s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16-07-2023 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe
Size

146KB
MD5

ba3686fcd353c6ff20b86615ef05dde9
SHA1

cbda4857f125708ce14bc3cf48be549ef2f87c05
SHA256

d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843
SHA512

e9f552895fae1c03ea0e21def511221880950154e506aa79a8adc51151b3e495bd32d34f9b20beda5b291d6faeda177a1e3d385043a0423a6029b7a7a1a866d2
SSDEEP

3072:/hFA/6ixzzLwjiR7ZwelYpKj/rlxafNoLXfHXW:p8KjiRVwz8UNorPXW

Score

10^/10

healer dropper evasion trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/5068-121-0x00000000001C0000-0x00000000001CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5068	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe
5068	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe

C:\Users\Admin\AppData\Local\Temp\d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe
"C:\Users\Admin\AppData\Local\Temp\d493f2779850ee4b508d0d91ff9446406a447bfa325ddea54ad728489241b843.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5068-121-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/5068-125-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/5068-128-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download