healer | 3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75

Analysis

max time kernel
128s
max time network
136s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2023, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe
Size

1.4MB
MD5

bb446a0afa74f0e2ae92aaf5b3291180
SHA1

2d748633a9f4e8b542e98f659d99c7d6c1fc71f1
SHA256

3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75
SHA512

e8aeb0973c760ae1ed01b5c9d5b6b25ee44f7e5c0db92d9c07348c742f7471422d8e0b76204323a96aabbe504ff052684cbea414c103699299111d6481faebf3
SSDEEP

24576:OLLSJBT3GnM0k7CzKXyTelDZqroJTP+yko4izE8S0KpAAyQzJ2CmCIuTs5f:qS7GnMt7CGXyT80sJTGy+izrKpAzQF2x

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/3748-41-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
3800	z4294908.exe
2744	z2335279.exe
4516	z9618989.exe
2584	z5168956.exe
4868	q5656348.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4294908.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2335279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9618989.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z5168956.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4868 set thread context of 3748	4868	q5656348.exe	80

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3172	4508	WerFault.exe	69
4520	4868	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3748	AppLaunch.exe
3748	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4508 wrote to memory of 4932	4508	3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe	71
PID 4932 wrote to memory of 3800	4932	AppLaunch.exe	74
PID 4932 wrote to memory of 3800	4932	AppLaunch.exe	74
PID 4932 wrote to memory of 3800	4932	AppLaunch.exe	74
PID 3800 wrote to memory of 2744	3800	z4294908.exe	75
PID 3800 wrote to memory of 2744	3800	z4294908.exe	75
PID 3800 wrote to memory of 2744	3800	z4294908.exe	75
PID 2744 wrote to memory of 4516	2744	z2335279.exe	76
PID 2744 wrote to memory of 4516	2744	z2335279.exe	76
PID 2744 wrote to memory of 4516	2744	z2335279.exe	76
PID 4516 wrote to memory of 2584	4516	z9618989.exe	77
PID 4516 wrote to memory of 2584	4516	z9618989.exe	77
PID 4516 wrote to memory of 2584	4516	z9618989.exe	77
PID 2584 wrote to memory of 4868	2584	z5168956.exe	78
PID 2584 wrote to memory of 4868	2584	z5168956.exe	78
PID 2584 wrote to memory of 4868	2584	z5168956.exe	78
PID 4868 wrote to memory of 3748	4868	q5656348.exe	80
PID 4868 wrote to memory of 3748	4868	q5656348.exe	80
PID 4868 wrote to memory of 3748	4868	q5656348.exe	80
PID 4868 wrote to memory of 3748	4868	q5656348.exe	80
PID 4868 wrote to memory of 3748	4868	q5656348.exe	80
PID 4868 wrote to memory of 3748	4868	q5656348.exe	80
PID 4868 wrote to memory of 3748	4868	q5656348.exe	80
PID 4868 wrote to memory of 3748	4868	q5656348.exe	80

C:\Users\Admin\AppData\Local\Temp\3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe
"C:\Users\Admin\AppData\Local\Temp\3b3f4fb5307e3b8d96c69b19a2eb156371a043dc3cd398b1e08c86d1a97bff75.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4294908.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4294908.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2335279.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2335279.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9618989.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9618989.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5168956.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5168956.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5656348.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5656348.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 144
        8⤵
        Program crash
        
        PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 148
  2⤵
  - Program crash
  PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4294908.exe

Filesize
1.0MB

MD5
3530e44bb0ec5d0119aa6bf7a511fd28

SHA1
e8d56468a10ee77839a0a216dde1eee75090bbe4

SHA256
70fc6bf434fc0269c3fa0910204e7f3ed0bd3fb9fb056ed30a75af15c6ac4924

SHA512
c18378ee31373fd5da1ea3c47146aff9e749fa39baf6b61df21695391b2b9e6304d6a09e9f2cd0485ea8e4a646507eea33de3ff56cc69691c8e71b440a0623e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4294908.exe

Filesize
1.0MB

MD5
3530e44bb0ec5d0119aa6bf7a511fd28

SHA1
e8d56468a10ee77839a0a216dde1eee75090bbe4

SHA256
70fc6bf434fc0269c3fa0910204e7f3ed0bd3fb9fb056ed30a75af15c6ac4924

SHA512
c18378ee31373fd5da1ea3c47146aff9e749fa39baf6b61df21695391b2b9e6304d6a09e9f2cd0485ea8e4a646507eea33de3ff56cc69691c8e71b440a0623e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2335279.exe

Filesize
790KB

MD5
b3d39cda251677158da89ec4317392f1

SHA1
1c01f4eaf7434337a63297ff36f66c34a1dced02

SHA256
9098434bfe6dbaaf7c04d3410955c7dc9e1c7f0561ee2b288e6085f5155443bd

SHA512
4a68b702bc786ac700aa4802fe36a1bcd01ae76cc178597af99775fbab8cd065e6a88dbb6c3ef949104bd491a4257bee2f3f3889a6b3f3fc8df9a19193a193d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2335279.exe

Filesize
790KB

MD5
b3d39cda251677158da89ec4317392f1

SHA1
1c01f4eaf7434337a63297ff36f66c34a1dced02

SHA256
9098434bfe6dbaaf7c04d3410955c7dc9e1c7f0561ee2b288e6085f5155443bd

SHA512
4a68b702bc786ac700aa4802fe36a1bcd01ae76cc178597af99775fbab8cd065e6a88dbb6c3ef949104bd491a4257bee2f3f3889a6b3f3fc8df9a19193a193d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9618989.exe

Filesize
607KB

MD5
107c7b16f9c78ccb2558d0c7c236f608

SHA1
5efe9e72a897617e881f5c0cea99d9fabe31ceff

SHA256
e6f2c9c75096b9a197c347413a16b059b6ba6b0fb65ebf069f4ad718e936739b

SHA512
feed494e9d17da3dfed2c694eda82fc300835f15499b46a0d99883574c4c9b4d28bf8373aabc920bde20be000c113aea66b102b68fae87816e186d9c7bf3854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9618989.exe

Filesize
607KB

MD5
107c7b16f9c78ccb2558d0c7c236f608

SHA1
5efe9e72a897617e881f5c0cea99d9fabe31ceff

SHA256
e6f2c9c75096b9a197c347413a16b059b6ba6b0fb65ebf069f4ad718e936739b

SHA512
feed494e9d17da3dfed2c694eda82fc300835f15499b46a0d99883574c4c9b4d28bf8373aabc920bde20be000c113aea66b102b68fae87816e186d9c7bf3854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5168956.exe

Filesize
366KB

MD5
80daf6fd1fc6e66ef47ccc39fcc108ef

SHA1
4ecd29b8a9c1faa393a0736ae3844d846f4c98dd

SHA256
ba8b0dcb4ebc63384d35f2d5faf9835b1a06727ea5f9e422b90d7ae49a852d35

SHA512
a10880fd68a31d0e88082c0375220a322cc571774233e721559c5b2ad58f77b232f4ee48d8e5a1510fb1435204eee0c279376ea13c90740152510a909d774f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5168956.exe

Filesize
366KB

MD5
80daf6fd1fc6e66ef47ccc39fcc108ef

SHA1
4ecd29b8a9c1faa393a0736ae3844d846f4c98dd

SHA256
ba8b0dcb4ebc63384d35f2d5faf9835b1a06727ea5f9e422b90d7ae49a852d35

SHA512
a10880fd68a31d0e88082c0375220a322cc571774233e721559c5b2ad58f77b232f4ee48d8e5a1510fb1435204eee0c279376ea13c90740152510a909d774f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5656348.exe

Filesize
234KB

MD5
e2b9cd19f475fe2a3fb12b4c711aa3b3

SHA1
346d7c0ea92298d99da45e2f9e5cc550c6964af4

SHA256
0ebe41faf2c6974350e8f53651d7f05286675970678fa83fc452eeffcc8800ea

SHA512
c5308f9cdcfd901ba02aec944812060725e4792a57e81e18ea4655b4e657cfb61920e7455d81fb2009415bfb9dcc99333bbacf51266e4eecb6a145729429df7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5656348.exe

Filesize
234KB

MD5
e2b9cd19f475fe2a3fb12b4c711aa3b3

SHA1
346d7c0ea92298d99da45e2f9e5cc550c6964af4

SHA256
0ebe41faf2c6974350e8f53651d7f05286675970678fa83fc452eeffcc8800ea

SHA512
c5308f9cdcfd901ba02aec944812060725e4792a57e81e18ea4655b4e657cfb61920e7455d81fb2009415bfb9dcc99333bbacf51266e4eecb6a145729429df7f

Download Submit
memory/3748-41-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3748-45-0x0000000072230000-0x000000007291E000-memory.dmp

Filesize
6.9MB

Download
memory/3748-57-0x0000000072230000-0x000000007291E000-memory.dmp

Filesize
6.9MB

Download
memory/3748-70-0x0000000072230000-0x000000007291E000-memory.dmp

Filesize
6.9MB

Download
memory/4932-0-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4932-1-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4932-2-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4932-4-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4932-9-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4932-54-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download