healer | 88ba0b7c19dbd3c64dd3f5bac6e0ee12275c60ab693614ba4db5287484eceabe

General

Target

88ba0b7c19dbd3c64dd3f5bac6e0ee12275c60ab693614ba4db5287484eceabe.exe
Size

704KB
MD5

c75bbe06262c7f20fa2aee47ef6ca131
SHA1

d2b8ab00d299eebac634ac5629c128a3cd7c8b48
SHA256

88ba0b7c19dbd3c64dd3f5bac6e0ee12275c60ab693614ba4db5287484eceabe
SHA512

d55341ac185fe5810f1d3fdf7fc317eb6778552b9ec074b1885b7b130ec6ac24b3d8dd1c6dd46a35e55ee595ae35291887512d81767c539e79fbee9208660e80
SSDEEP

12288:2Mrpy901G4k6xT1nYRSi+zNjtyUP0sFRp7SVEdqjcQMp9rTr6rIYiBWFwM+j9ulp:3y2N8RSiSFMSXLPNWKMo9ul5L

Score

10^/10

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000001b00f-25.dat	healer
behavioral2/files/0x000700000001b00f-27.dat	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Executes dropped EXE 4 IoCs

pid	Process
772	x4641262.exe
3152	x4651240.exe
2596	x1859454.exe
2844	g0428524.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4651240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1859454.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	88ba0b7c19dbd3c64dd3f5bac6e0ee12275c60ab693614ba4db5287484eceabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4641262.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 772	4836	88ba0b7c19dbd3c64dd3f5bac6e0ee12275c60ab693614ba4db5287484eceabe.exe	70
PID 4836 wrote to memory of 772	4836	88ba0b7c19dbd3c64dd3f5bac6e0ee12275c60ab693614ba4db5287484eceabe.exe	70
PID 4836 wrote to memory of 772	4836	88ba0b7c19dbd3c64dd3f5bac6e0ee12275c60ab693614ba4db5287484eceabe.exe	70
PID 772 wrote to memory of 3152	772	x4641262.exe	71
PID 772 wrote to memory of 3152	772	x4641262.exe	71
PID 772 wrote to memory of 3152	772	x4641262.exe	71
PID 3152 wrote to memory of 2596	3152	x4651240.exe	72
PID 3152 wrote to memory of 2596	3152	x4651240.exe	72
PID 3152 wrote to memory of 2596	3152	x4651240.exe	72
PID 2596 wrote to memory of 2844	2596	x1859454.exe	73
PID 2596 wrote to memory of 2844	2596	x1859454.exe	73

C:\Users\Admin\AppData\Local\Temp\88ba0b7c19dbd3c64dd3f5bac6e0ee12275c60ab693614ba4db5287484eceabe.exe
"C:\Users\Admin\AppData\Local\Temp\88ba0b7c19dbd3c64dd3f5bac6e0ee12275c60ab693614ba4db5287484eceabe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4641262.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4641262.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4651240.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4651240.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1859454.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1859454.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0428524.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0428524.exe
        5⤵
        Executes dropped EXE
        
        PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4641262.exe

Filesize
599KB

MD5
8d94147d71395e30bfc055cb9c38f2a7

SHA1
a87f4b395303166a66f72f7f00115e5b7b0ecd3a

SHA256
1aa30cab317a7bf928df9b21968b4c52435524dcda9530ba8708a161d6bfb685

SHA512
58e3c28058de02959349c3cac257cabbc3a75c2db59e1998dc93c58fbe3dd556cba6982b6574be9a85706f24c631190a248d2b3457be0ca45135540cb49cb549

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4641262.exe

Filesize
599KB

MD5
8d94147d71395e30bfc055cb9c38f2a7

SHA1
a87f4b395303166a66f72f7f00115e5b7b0ecd3a

SHA256
1aa30cab317a7bf928df9b21968b4c52435524dcda9530ba8708a161d6bfb685

SHA512
58e3c28058de02959349c3cac257cabbc3a75c2db59e1998dc93c58fbe3dd556cba6982b6574be9a85706f24c631190a248d2b3457be0ca45135540cb49cb549

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4651240.exe

Filesize
433KB

MD5
2b8f86269d353af94641cf1fdf9b7552

SHA1
0c734913c2c179db334cb45f6e88c3dfde780271

SHA256
e5b093dfcc97062bf81d5a5b97107ee2cdb4a777ccdc35ac0c56158bfe7bc039

SHA512
c019cf5ee70f0819a2e452696f3f5bcff7b50e4956517b05b0543652e64c8f520990ce0ac321a3992e2a6f6dea81f0b22e6959323ccf70607a5f8dcdb393bf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4651240.exe

Filesize
433KB

MD5
2b8f86269d353af94641cf1fdf9b7552

SHA1
0c734913c2c179db334cb45f6e88c3dfde780271

SHA256
e5b093dfcc97062bf81d5a5b97107ee2cdb4a777ccdc35ac0c56158bfe7bc039

SHA512
c019cf5ee70f0819a2e452696f3f5bcff7b50e4956517b05b0543652e64c8f520990ce0ac321a3992e2a6f6dea81f0b22e6959323ccf70607a5f8dcdb393bf27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1859454.exe

Filesize
277KB

MD5
37c98e211f58e8daa9adc4812fca91ad

SHA1
384629451af7d6fffdfdf4d9af1689d387ba3920

SHA256
db1a5e810303de8278f5bc0f7cece65977165daf16b3ea99b8c326ee9a746222

SHA512
6997cc461a48ff1db6d8f29dbf1009ee789ea516a9c35f7f4b829a19746f58a365aa2c98ba2601582f50952357675370e365b41ee1f5b6a50ff216fa588c68b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1859454.exe

Filesize
277KB

MD5
37c98e211f58e8daa9adc4812fca91ad

SHA1
384629451af7d6fffdfdf4d9af1689d387ba3920

SHA256
db1a5e810303de8278f5bc0f7cece65977165daf16b3ea99b8c326ee9a746222

SHA512
6997cc461a48ff1db6d8f29dbf1009ee789ea516a9c35f7f4b829a19746f58a365aa2c98ba2601582f50952357675370e365b41ee1f5b6a50ff216fa588c68b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0428524.exe

Filesize
13KB

MD5
5e3fad66b0cd3e81bde10937ea32111b

SHA1
3e6e7cc48a244eec2bf8d8afdfc6c22c1a3030ef

SHA256
73bb8b1763874a3de2c5fdf001ba9ef481ef8e8d59ac52e88e2fa55c0b70c8df

SHA512
1c75a8925d2164a1a2584f4ae53ff2f99079304f831d5ede01433a0865fc57555b341acb8ba1b52112060d9de2ace7b3ee9b655bb18beaaa8d527adabfbc6c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0428524.exe

Filesize
13KB

MD5
5e3fad66b0cd3e81bde10937ea32111b

SHA1
3e6e7cc48a244eec2bf8d8afdfc6c22c1a3030ef

SHA256
73bb8b1763874a3de2c5fdf001ba9ef481ef8e8d59ac52e88e2fa55c0b70c8df

SHA512
1c75a8925d2164a1a2584f4ae53ff2f99079304f831d5ede01433a0865fc57555b341acb8ba1b52112060d9de2ace7b3ee9b655bb18beaaa8d527adabfbc6c6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads