healer | 4270a3459505c9160acb66a6e8b4dc16454f29eead58d18262be263907f60ad6

Analysis

max time kernel
117s
max time network
127s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
21/09/2023, 01:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4270a3459505c9160acb66a6e8b4dc16454f29eead58d18262be263907f60ad6.exe
Size

1.3MB
MD5

bf2c81231c283e0320777303c6194c4c
SHA1

1c8d2bf7569db96b5cca5dfb26543a3a9619b5b4
SHA256

4270a3459505c9160acb66a6e8b4dc16454f29eead58d18262be263907f60ad6
SHA512

13b1a6941b1b5f240cffd5033f1046070948b77efa6ac5e0f89f28437e103e2cb9fa97759c1b6b7448f65ff55f911aaf06d9b4e87bca53f60aea891da7fe4779
SSDEEP

24576:4yQtuIxxMSMkayWY8fllnwPacTpdgKsYF9AzOIvH/y/UV39k:/ar6Zyki1dgSF2/yU

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afb0-25.dat	healer
behavioral1/files/0x000700000001afb0-27.dat	healer
behavioral1/memory/372-28-0x0000000000E90000-0x0000000000E9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7895525.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7895525.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7895525.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7895525.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7895525.exe

Executes dropped EXE 5 IoCs

pid	Process
2792	v6225293.exe
3672	v6718746.exe
432	v0217463.exe
372	a7895525.exe
2320	b0778415.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7895525.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4270a3459505c9160acb66a6e8b4dc16454f29eead58d18262be263907f60ad6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6225293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6718746.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0217463.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 4280	2320	b0778415.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4084	2320	WerFault.exe	74
1744	4280	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
372	a7895525.exe
372	a7895525.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	a7895525.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 2792	3708	4270a3459505c9160acb66a6e8b4dc16454f29eead58d18262be263907f60ad6.exe	70
PID 3708 wrote to memory of 2792	3708	4270a3459505c9160acb66a6e8b4dc16454f29eead58d18262be263907f60ad6.exe	70
PID 3708 wrote to memory of 2792	3708	4270a3459505c9160acb66a6e8b4dc16454f29eead58d18262be263907f60ad6.exe	70
PID 2792 wrote to memory of 3672	2792	v6225293.exe	71
PID 2792 wrote to memory of 3672	2792	v6225293.exe	71
PID 2792 wrote to memory of 3672	2792	v6225293.exe	71
PID 3672 wrote to memory of 432	3672	v6718746.exe	72
PID 3672 wrote to memory of 432	3672	v6718746.exe	72
PID 3672 wrote to memory of 432	3672	v6718746.exe	72
PID 432 wrote to memory of 372	432	v0217463.exe	73
PID 432 wrote to memory of 372	432	v0217463.exe	73
PID 432 wrote to memory of 2320	432	v0217463.exe	74
PID 432 wrote to memory of 2320	432	v0217463.exe	74
PID 432 wrote to memory of 2320	432	v0217463.exe	74
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76
PID 2320 wrote to memory of 4280	2320	b0778415.exe	76

C:\Users\Admin\AppData\Local\Temp\4270a3459505c9160acb66a6e8b4dc16454f29eead58d18262be263907f60ad6.exe
"C:\Users\Admin\AppData\Local\Temp\4270a3459505c9160acb66a6e8b4dc16454f29eead58d18262be263907f60ad6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225293.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225293.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6718746.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6718746.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0217463.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0217463.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7895525.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7895525.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0778415.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0778415.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 568
        7⤵
        Program crash
        
        PID:1744
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 576
        6⤵
        Program crash
        
        PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225293.exe

Filesize
1.2MB

MD5
d5ac42a3b47339decf2b69ba2fc067c6

SHA1
456e53858e24791e83d6a5e9f550b66346aa1ea2

SHA256
7d869a1b722c3ae814f857370cac4047d2f20a8290e324485777799c6a610fc5

SHA512
2cc050abea6cd6c08a4ad489ebd084b86842aa4d18c2bf5a40a2372036c1b5f3227108c52880903eba3e1aed837094c75710abe702aef0f65bc7ad3bd800a9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225293.exe

Filesize
1.2MB

MD5
d5ac42a3b47339decf2b69ba2fc067c6

SHA1
456e53858e24791e83d6a5e9f550b66346aa1ea2

SHA256
7d869a1b722c3ae814f857370cac4047d2f20a8290e324485777799c6a610fc5

SHA512
2cc050abea6cd6c08a4ad489ebd084b86842aa4d18c2bf5a40a2372036c1b5f3227108c52880903eba3e1aed837094c75710abe702aef0f65bc7ad3bd800a9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6718746.exe

Filesize
836KB

MD5
b126b7dc19491fe4e4749b1cf5ae87c8

SHA1
53919205e0d7ed29c84dc95e3e048eaea132447f

SHA256
20ef7d4b3f0940dae99be06e8371635670e6de1fb764e03af0e2100cdfc1cf7b

SHA512
ae70845e4d941be03712beb390cf9467f40508eedbd9d88865f7c361696564d8602b0e2e1dc6679c88d0f97bd7aa34ed36701fd85bdaef4bdac0664c01f1c6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6718746.exe

Filesize
836KB

MD5
b126b7dc19491fe4e4749b1cf5ae87c8

SHA1
53919205e0d7ed29c84dc95e3e048eaea132447f

SHA256
20ef7d4b3f0940dae99be06e8371635670e6de1fb764e03af0e2100cdfc1cf7b

SHA512
ae70845e4d941be03712beb390cf9467f40508eedbd9d88865f7c361696564d8602b0e2e1dc6679c88d0f97bd7aa34ed36701fd85bdaef4bdac0664c01f1c6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0217463.exe

Filesize
475KB

MD5
3fb5ef7421dda27b814e538729d6dc1b

SHA1
b225e58d426251ef7b0dd421a1735de7ab2eaad5

SHA256
af29490959a8a856b501216a8621f5d0231d08697b246ba339c108ab55fefae5

SHA512
cb3a6e6b288908cdd644f9eb472240af0d1ae575f457c85df5885490211673a23e501f14c76d875b06099677bd5ea3eae86e5b19f03acde163c282a8e6a3b25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0217463.exe

Filesize
475KB

MD5
3fb5ef7421dda27b814e538729d6dc1b

SHA1
b225e58d426251ef7b0dd421a1735de7ab2eaad5

SHA256
af29490959a8a856b501216a8621f5d0231d08697b246ba339c108ab55fefae5

SHA512
cb3a6e6b288908cdd644f9eb472240af0d1ae575f457c85df5885490211673a23e501f14c76d875b06099677bd5ea3eae86e5b19f03acde163c282a8e6a3b25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7895525.exe

Filesize
11KB

MD5
0965d53b8bba0d2e35e751fb24194369

SHA1
7ed84fe0934fcff573047620e6a455728f8192fe

SHA256
c69356cc8f56505631537ed4c342fe4652c56cd9e0f85717501167b66e24c8d9

SHA512
6d8f5c6ab27d14c57af3db37e40023f1fd8ee436bb5b41cad5f2764d3baa014bf156e64206cd94675239678a4b7e2af433feea997bef49bbd4f70caf6053af62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7895525.exe

Filesize
11KB

MD5
0965d53b8bba0d2e35e751fb24194369

SHA1
7ed84fe0934fcff573047620e6a455728f8192fe

SHA256
c69356cc8f56505631537ed4c342fe4652c56cd9e0f85717501167b66e24c8d9

SHA512
6d8f5c6ab27d14c57af3db37e40023f1fd8ee436bb5b41cad5f2764d3baa014bf156e64206cd94675239678a4b7e2af433feea997bef49bbd4f70caf6053af62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0778415.exe

Filesize
1.0MB

MD5
055103fa9162ab11eab401f3c0ac7015

SHA1
a718462f2bd63577a3ff744ae5771036bf80fdf4

SHA256
bc7ddaa36476da68cec413fb728ef64981940fe3327782916c27be814a33e491

SHA512
17b8ceb908f23f6b6903a7a1c892f0641a8a70490164baf9a83933238aafd624acaefb9555a548bf03e9a8c684c6abe3fff4937a876b895f66f79cc5f7098d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0778415.exe

Filesize
1.0MB

MD5
055103fa9162ab11eab401f3c0ac7015

SHA1
a718462f2bd63577a3ff744ae5771036bf80fdf4

SHA256
bc7ddaa36476da68cec413fb728ef64981940fe3327782916c27be814a33e491

SHA512
17b8ceb908f23f6b6903a7a1c892f0641a8a70490164baf9a83933238aafd624acaefb9555a548bf03e9a8c684c6abe3fff4937a876b895f66f79cc5f7098d2f

Download Submit
memory/372-31-0x00007FF9DB3D0000-0x00007FF9DBDBC000-memory.dmp

Filesize
9.9MB

Download
memory/372-29-0x00007FF9DB3D0000-0x00007FF9DBDBC000-memory.dmp

Filesize
9.9MB

Download
memory/372-28-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/4280-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download