healer | 85c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b

Analysis

max time kernel
188s
max time network
258s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2023 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

g2204807.exe
Size

236KB
MD5

bd7db8b543d1b8d37a380bace855e6f1
SHA1

6bb4a5230f3038cfc4414e36175e399df0123568
SHA256

85c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b
SHA512

bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f
SSDEEP

6144:d/KXjE22jicP5iOo2T8VrSd/sUAOx2l2TYb1Sa:diXHqiG59ouH2kYb1Sa

Score

10^/10

healer dropper evasion trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4660-0-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g2204807.exe

description pid process target process

PID 664 set thread context of 4660 664 g2204807.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

4660 AppLaunch.exe
4660 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4660 AppLaunch.exe

description	pid	process	target process
PID 664 set thread context of 4660	664	g2204807.exe	AppLaunch.exe

pid	process
4660	AppLaunch.exe
4660	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4660	AppLaunch.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

g2204807.exe

description	pid	process	target process
PID 664 wrote to memory of 4660	664	g2204807.exe	AppLaunch.exe
PID 664 wrote to memory of 4660	664	g2204807.exe	AppLaunch.exe
PID 664 wrote to memory of 4660	664	g2204807.exe	AppLaunch.exe
PID 664 wrote to memory of 4660	664	g2204807.exe	AppLaunch.exe
PID 664 wrote to memory of 4660	664	g2204807.exe	AppLaunch.exe
PID 664 wrote to memory of 4660	664	g2204807.exe	AppLaunch.exe
PID 664 wrote to memory of 4660	664	g2204807.exe	AppLaunch.exe
PID 664 wrote to memory of 4660	664	g2204807.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\g2204807.exe
"C:\Users\Admin\AppData\Local\Temp\g2204807.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4660-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4660-4-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/4660-13-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/4660-28-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download