healer | 0e729e99e331549dd945910d0c1a3d174e7d62dcd796707783aac600d90fb345

General

Target

0e729e99e331549dd945910d0c1a3d174e7d62dcd796707783aac600d90fb345.exe
Size

1.1MB
MD5

074996a13d1421769ce0474211a08ff4
SHA1

b58c3a3064b218790e9bcbe1e65fa75a7c45b73c
SHA256

0e729e99e331549dd945910d0c1a3d174e7d62dcd796707783aac600d90fb345
SHA512

14e650295b573139045e95510d9d3d0e97fb79823c9b5b10d2671acc6080df46ceafb221a19c0ec2ea7e37cc9bbe86446d1d05478740be8516f61cbe5f712269
SSDEEP

24576:Ey5q8KHVDUFEuoEwSKbU+kdTXIcJBs/NxIj2wuB+:T5qZ1DdEwlIdT4A0wj2wuB

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/5028-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 4 IoCs

pid	Process
4144	x9497068.exe
2824	x6100170.exe
4228	x4936828.exe
1548	g9710226.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6100170.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4936828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e729e99e331549dd945910d0c1a3d174e7d62dcd796707783aac600d90fb345.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9497068.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 5028	1548	g9710226.exe	74

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4120	1548	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5028	AppLaunch.exe
5028	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4144	1372	0e729e99e331549dd945910d0c1a3d174e7d62dcd796707783aac600d90fb345.exe	69
PID 1372 wrote to memory of 4144	1372	0e729e99e331549dd945910d0c1a3d174e7d62dcd796707783aac600d90fb345.exe	69
PID 1372 wrote to memory of 4144	1372	0e729e99e331549dd945910d0c1a3d174e7d62dcd796707783aac600d90fb345.exe	69
PID 4144 wrote to memory of 2824	4144	x9497068.exe	70
PID 4144 wrote to memory of 2824	4144	x9497068.exe	70
PID 4144 wrote to memory of 2824	4144	x9497068.exe	70
PID 2824 wrote to memory of 4228	2824	x6100170.exe	71
PID 2824 wrote to memory of 4228	2824	x6100170.exe	71
PID 2824 wrote to memory of 4228	2824	x6100170.exe	71
PID 4228 wrote to memory of 1548	4228	x4936828.exe	72
PID 4228 wrote to memory of 1548	4228	x4936828.exe	72
PID 4228 wrote to memory of 1548	4228	x4936828.exe	72
PID 1548 wrote to memory of 5028	1548	g9710226.exe	74
PID 1548 wrote to memory of 5028	1548	g9710226.exe	74
PID 1548 wrote to memory of 5028	1548	g9710226.exe	74
PID 1548 wrote to memory of 5028	1548	g9710226.exe	74
PID 1548 wrote to memory of 5028	1548	g9710226.exe	74
PID 1548 wrote to memory of 5028	1548	g9710226.exe	74
PID 1548 wrote to memory of 5028	1548	g9710226.exe	74
PID 1548 wrote to memory of 5028	1548	g9710226.exe	74

C:\Users\Admin\AppData\Local\Temp\0e729e99e331549dd945910d0c1a3d174e7d62dcd796707783aac600d90fb345.exe
"C:\Users\Admin\AppData\Local\Temp\0e729e99e331549dd945910d0c1a3d174e7d62dcd796707783aac600d90fb345.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9497068.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9497068.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6100170.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6100170.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4936828.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4936828.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9710226.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9710226.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 240
        6⤵
        Program crash
        
        PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9497068.exe

Filesize
1021KB

MD5
7811b80eb4f6dae80f4f5ade5c229266

SHA1
47994cc6e3118c56b5ad9e4b4cd9289afd693dc7

SHA256
5f2480d1b1774d781292f9a2f4dcbd0798ba902b4c0a6a8710f4b05b3592c2d5

SHA512
afc310ae96552e1076a947fd7de95c5d945b390af727fac4ad77b95708cc47a17efc51130a8142eac1e244e3ef63c92f2d2fc883aceb71ee6b3e8f1e433e5c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9497068.exe

Filesize
1021KB

MD5
7811b80eb4f6dae80f4f5ade5c229266

SHA1
47994cc6e3118c56b5ad9e4b4cd9289afd693dc7

SHA256
5f2480d1b1774d781292f9a2f4dcbd0798ba902b4c0a6a8710f4b05b3592c2d5

SHA512
afc310ae96552e1076a947fd7de95c5d945b390af727fac4ad77b95708cc47a17efc51130a8142eac1e244e3ef63c92f2d2fc883aceb71ee6b3e8f1e433e5c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6100170.exe

Filesize
628KB

MD5
754c7d9f1dbc912c505a644af834d620

SHA1
92bcba7dcaaa9f358646505822d3675f0146d7bd

SHA256
3ff6e8e7ecc4dcd5ba00a24e8b0648c3018961e602ba65e35e763969ae3ae316

SHA512
31ebb8f4119e801d82ababae23bf45333f067310feadbc93fe5832e2c2ab810b82b345ffd8320601c013520ddadb869fcd5c0d99d22a6c77af6fb099a7571cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6100170.exe

Filesize
628KB

MD5
754c7d9f1dbc912c505a644af834d620

SHA1
92bcba7dcaaa9f358646505822d3675f0146d7bd

SHA256
3ff6e8e7ecc4dcd5ba00a24e8b0648c3018961e602ba65e35e763969ae3ae316

SHA512
31ebb8f4119e801d82ababae23bf45333f067310feadbc93fe5832e2c2ab810b82b345ffd8320601c013520ddadb869fcd5c0d99d22a6c77af6fb099a7571cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4936828.exe

Filesize
443KB

MD5
36dec27a9037b82ac433650b58f4ef15

SHA1
c37a952601fd37dece5fec277445e0f0428120f7

SHA256
2c2da7a26244d058285ad9620295ed00d6145d227c0fca6bebefd6c9ada4ffc1

SHA512
9d0a453fb68013c6b8923619b1fdd3fda5cc26bc5b56fd4e891fb0c1278d9e2026ead6b84a80e75aae2a5a5dd49a983a33acae9c325b682a7e070f9596133ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4936828.exe

Filesize
443KB

MD5
36dec27a9037b82ac433650b58f4ef15

SHA1
c37a952601fd37dece5fec277445e0f0428120f7

SHA256
2c2da7a26244d058285ad9620295ed00d6145d227c0fca6bebefd6c9ada4ffc1

SHA512
9d0a453fb68013c6b8923619b1fdd3fda5cc26bc5b56fd4e891fb0c1278d9e2026ead6b84a80e75aae2a5a5dd49a983a33acae9c325b682a7e070f9596133ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9710226.exe

Filesize
861KB

MD5
4db24b3f68b120ad69481e3b3b00f444

SHA1
c35807a7e737094758b9286fb3a857eb742cb9dc

SHA256
e6a9233a602994f7c93a8a39202e0c1f7444cc75c69d40cd2326752cede57e6d

SHA512
71b63b1cc07555c60c5d411dda165a09de032d0b2f0dd0772ddc18e73f368f00f62f118a48e08fb9247b1223bef274395349085f3e5b061314f9229727419079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9710226.exe

Filesize
861KB

MD5
4db24b3f68b120ad69481e3b3b00f444

SHA1
c35807a7e737094758b9286fb3a857eb742cb9dc

SHA256
e6a9233a602994f7c93a8a39202e0c1f7444cc75c69d40cd2326752cede57e6d

SHA512
71b63b1cc07555c60c5d411dda165a09de032d0b2f0dd0772ddc18e73f368f00f62f118a48e08fb9247b1223bef274395349085f3e5b061314f9229727419079

Download Submit
memory/5028-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5028-32-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/5028-41-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download
memory/5028-56-0x0000000072B40000-0x000000007322E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads