healer | 1cef7f08118986301aa1ae41eedc757dcb2ac2160b2e0aa7ad0ebf5c2d9d8c6b

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2023, 15:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

328KB
MD5

2ce2b22c19530551c888b9e300ec7f18
SHA1

fe0cbb415ce1c51b2219b910f8c96566bfcbfab2
SHA256

ccb9086fc1709485302ec90d7f960e13db4844caef664fe940d4d6def976d1f3
SHA512

be5a16f1f066a6590f711940e5758afc0f2354ba195adcefdf6e3dd07ea681a777146b5a9b3d59fdac651716c78754edd9cdf9fbb1974310b90b21d90408b2e1
SSDEEP

6144:Kly+bnr+7p0yN90QE0Q5xeyziFHV7qyrxvjfTiwEZ3ZvzpheB:DMrPy90TeyzwHJqydrr83Nzp8

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/408-7-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 2 IoCs

pid	Process
976	q9112251.exe
2584	r0360247.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	sample.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 408	976	q9112251.exe	90
PID 2584 set thread context of 1856	2584	r0360247.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
220	1856	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
408	AppLaunch.exe
408	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 976	1444	sample.exe	88
PID 1444 wrote to memory of 976	1444	sample.exe	88
PID 1444 wrote to memory of 976	1444	sample.exe	88
PID 976 wrote to memory of 408	976	q9112251.exe	90
PID 976 wrote to memory of 408	976	q9112251.exe	90
PID 976 wrote to memory of 408	976	q9112251.exe	90
PID 976 wrote to memory of 408	976	q9112251.exe	90
PID 976 wrote to memory of 408	976	q9112251.exe	90
PID 976 wrote to memory of 408	976	q9112251.exe	90
PID 976 wrote to memory of 408	976	q9112251.exe	90
PID 976 wrote to memory of 408	976	q9112251.exe	90
PID 1444 wrote to memory of 2584	1444	sample.exe	91
PID 1444 wrote to memory of 2584	1444	sample.exe	91
PID 1444 wrote to memory of 2584	1444	sample.exe	91
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93
PID 2584 wrote to memory of 1856	2584	r0360247.exe	93

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9112251.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9112251.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0360247.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0360247.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 540
      4⤵
      Program crash
      PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 1856
1⤵
PID:3748

Network

DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

1.202.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.202.248.87.in-addr.arpa

IN PTR

Response

1.202.248.87.in-addr.arpa

IN PTR

https-87-248-202-1amsllnwnet
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

8.3.197.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.3.197.209.in-addr.arpa

IN PTR

Response

8.3.197.209.in-addr.arpa

IN PTR

vip0x008map2sslhwcdnnet
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response
DNS

6.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.173.189.20.in-addr.arpa

IN PTR

Response

20.231.121.79:80

46 B
1

8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

1.202.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

1.202.248.87.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

8.3.197.209.in-addr.arpa

dns

70 B
111 B
1
1

DNS Request

8.3.197.209.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa
8.8.8.8:53

6.173.189.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

6.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9112251.exe

Filesize
213KB

MD5
bce3c2ce66d4445f778c762bdd2daf05

SHA1
a75f1d0ce58dffc1fb514e803af06b824e08726e

SHA256
7da1c38aa827449ae85d420faac841f04c4fe9924f8ec22d1b6e825e5c1f08bb

SHA512
4363d0c898af0961c3a81a8168b17f302b359f06a9946911b2f2b262d80aba226cdc264e2edda8809bdaebb44e55c3d3d89058f58c617f13a61fb816f2432fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9112251.exe

Filesize
213KB

MD5
bce3c2ce66d4445f778c762bdd2daf05

SHA1
a75f1d0ce58dffc1fb514e803af06b824e08726e

SHA256
7da1c38aa827449ae85d420faac841f04c4fe9924f8ec22d1b6e825e5c1f08bb

SHA512
4363d0c898af0961c3a81a8168b17f302b359f06a9946911b2f2b262d80aba226cdc264e2edda8809bdaebb44e55c3d3d89058f58c617f13a61fb816f2432fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0360247.exe

Filesize
342KB

MD5
149a994fbf5e6e414ac9da01dc27e8a2

SHA1
3a3ac1218ba92ba9488d2489ee3c14f115045a4b

SHA256
022e8939826faae426c61668fa793c72712226cc194f693241821f14e703b3f6

SHA512
a804d9b727f560596533b6d680b17d4941247be7698b0a4b01a7b844b5bf30980c7810e891d4802b38474c5c619c023d1587701f8541ddd9af9372fd0b148d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0360247.exe

Filesize
342KB

MD5
149a994fbf5e6e414ac9da01dc27e8a2

SHA1
3a3ac1218ba92ba9488d2489ee3c14f115045a4b

SHA256
022e8939826faae426c61668fa793c72712226cc194f693241821f14e703b3f6

SHA512
a804d9b727f560596533b6d680b17d4941247be7698b0a4b01a7b844b5bf30980c7810e891d4802b38474c5c619c023d1587701f8541ddd9af9372fd0b148d23

Download Submit
memory/408-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/408-11-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/408-17-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/408-19-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/1856-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1856-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1856-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1856-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.