healer | 7df44fc7e38a00c98f4c5b4392a085aa7acd683908511b6db11cb86da8111b90

Analysis

max time kernel
127s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
21/09/2023, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7df44fc7e38a00c98f4c5b4392a085aa7acd683908511b6db11cb86da8111b90.exe
Size

1.3MB
MD5

bb43aabe94cd4da7d2c1a3b4cdb8a25b
SHA1

326e19db89a82e7e42384b41c3b5f0930806eb89
SHA256

7df44fc7e38a00c98f4c5b4392a085aa7acd683908511b6db11cb86da8111b90
SHA512

8da08b9d2903c730f32643afd61bb1235d05b3dd7698b456016a6d8e7ef22a8c58e1314eb50d7170ac6af96c8fbfa4c0056878a59f907c355c0d1fbb9317cf36
SSDEEP

24576:+yyL0rARXHB9OOSdVgUGYld9BCXc9hbov1xTXttLqr7deZQCa:NynNLjC94QbA1dd48ZP

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afcb-33.dat	healer
behavioral1/files/0x000700000001afcb-34.dat	healer
behavioral1/memory/2144-35-0x0000000000B80000-0x0000000000B8A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q9624481.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q9624481.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q9624481.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q9624481.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q9624481.exe

Executes dropped EXE 6 IoCs

pid	Process
360	z1807320.exe
5004	z8347785.exe
3868	z7801960.exe
3424	z5759318.exe
2144	q9624481.exe
4436	r1073502.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q9624481.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z5759318.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7df44fc7e38a00c98f4c5b4392a085aa7acd683908511b6db11cb86da8111b90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1807320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8347785.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7801960.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4436 set thread context of 4956	4436	r1073502.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4108	4436	WerFault.exe	75
3864	4956	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2144	q9624481.exe
2144	q9624481.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	q9624481.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 360	3840	7df44fc7e38a00c98f4c5b4392a085aa7acd683908511b6db11cb86da8111b90.exe	70
PID 3840 wrote to memory of 360	3840	7df44fc7e38a00c98f4c5b4392a085aa7acd683908511b6db11cb86da8111b90.exe	70
PID 3840 wrote to memory of 360	3840	7df44fc7e38a00c98f4c5b4392a085aa7acd683908511b6db11cb86da8111b90.exe	70
PID 360 wrote to memory of 5004	360	z1807320.exe	71
PID 360 wrote to memory of 5004	360	z1807320.exe	71
PID 360 wrote to memory of 5004	360	z1807320.exe	71
PID 5004 wrote to memory of 3868	5004	z8347785.exe	72
PID 5004 wrote to memory of 3868	5004	z8347785.exe	72
PID 5004 wrote to memory of 3868	5004	z8347785.exe	72
PID 3868 wrote to memory of 3424	3868	z7801960.exe	73
PID 3868 wrote to memory of 3424	3868	z7801960.exe	73
PID 3868 wrote to memory of 3424	3868	z7801960.exe	73
PID 3424 wrote to memory of 2144	3424	z5759318.exe	74
PID 3424 wrote to memory of 2144	3424	z5759318.exe	74
PID 3424 wrote to memory of 4436	3424	z5759318.exe	75
PID 3424 wrote to memory of 4436	3424	z5759318.exe	75
PID 3424 wrote to memory of 4436	3424	z5759318.exe	75
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77
PID 4436 wrote to memory of 4956	4436	r1073502.exe	77

C:\Users\Admin\AppData\Local\Temp\7df44fc7e38a00c98f4c5b4392a085aa7acd683908511b6db11cb86da8111b90.exe
"C:\Users\Admin\AppData\Local\Temp\7df44fc7e38a00c98f4c5b4392a085aa7acd683908511b6db11cb86da8111b90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1807320.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1807320.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8347785.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8347785.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7801960.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7801960.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5759318.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5759318.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3424
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9624481.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9624481.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1073502.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1073502.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 568
        8⤵
        Program crash
        
        PID:3864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 580
        7⤵
        Program crash
        
        PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1807320.exe

Filesize
1.2MB

MD5
1554a97e4fc07652d4b6f2544d4de1be

SHA1
d9aadb6e0b028364eacb404d90da3044c7940feb

SHA256
830f38f24e47fc09f50084ce9dab334476522b0e3ec8cc76c0c911f881d57595

SHA512
1c1fbc1b60e57a55997043e5d6711b2ee463c43f58e6f94f88cc182b3ce3a5ff31fa3dd9faf1652ef9c69f49d7a444bbc41d954d7661d8c35fc12879b86cfe30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1807320.exe

Filesize
1.2MB

MD5
1554a97e4fc07652d4b6f2544d4de1be

SHA1
d9aadb6e0b028364eacb404d90da3044c7940feb

SHA256
830f38f24e47fc09f50084ce9dab334476522b0e3ec8cc76c0c911f881d57595

SHA512
1c1fbc1b60e57a55997043e5d6711b2ee463c43f58e6f94f88cc182b3ce3a5ff31fa3dd9faf1652ef9c69f49d7a444bbc41d954d7661d8c35fc12879b86cfe30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8347785.exe

Filesize
1.0MB

MD5
2e532ebe65f05b3ff2771c3972e7c4f5

SHA1
a052dcfdb136cd2743e3fe35cdde0ef5b9afa058

SHA256
4bf9c96fb384cf1e591b603a2f449a8339a6e48732114998a98758c2887ea064

SHA512
dff75895c545e00bf675371a8ab6f3028fc01192422ca7daa079c7862b16da468f52729871aefa836b5ddcdee65263ec60c407ee8ae0c88cf4494fda20cc6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8347785.exe

Filesize
1.0MB

MD5
2e532ebe65f05b3ff2771c3972e7c4f5

SHA1
a052dcfdb136cd2743e3fe35cdde0ef5b9afa058

SHA256
4bf9c96fb384cf1e591b603a2f449a8339a6e48732114998a98758c2887ea064

SHA512
dff75895c545e00bf675371a8ab6f3028fc01192422ca7daa079c7862b16da468f52729871aefa836b5ddcdee65263ec60c407ee8ae0c88cf4494fda20cc6130

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7801960.exe

Filesize
867KB

MD5
3d956f0fefc1e28c54c1ad2b95cb1b17

SHA1
e510a7e92844f2821ffe6d9f3aa29ca08d4c50b6

SHA256
602f6864fc18bfe18df58d93fb069eefe7f9a1dee3fcc87799894268c9ee2ed9

SHA512
8ac650aa557ab5d07d77fc0029a74744daadde4e6d5727514f59b7c270056ccb0235c26bce9c6ead111bd69e8cbf77f53e3da26d40787bec760a2b94e63d8562

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7801960.exe

Filesize
867KB

MD5
3d956f0fefc1e28c54c1ad2b95cb1b17

SHA1
e510a7e92844f2821ffe6d9f3aa29ca08d4c50b6

SHA256
602f6864fc18bfe18df58d93fb069eefe7f9a1dee3fcc87799894268c9ee2ed9

SHA512
8ac650aa557ab5d07d77fc0029a74744daadde4e6d5727514f59b7c270056ccb0235c26bce9c6ead111bd69e8cbf77f53e3da26d40787bec760a2b94e63d8562

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5759318.exe

Filesize
475KB

MD5
28c0b1f33aefc4b339a093ecc5856956

SHA1
d0338560380da9b3bf31dbf836966b69cde37bab

SHA256
786752eae6d5183919af4e9cdeffca4e27c79b81f8e70d1c5c3fbeae1f1eff99

SHA512
f92d083367d4f0572a4f3cdeb0c93717a6ab63a9323f1d0ad0de125e1ddaa260b7cdfd9856fdc9f974ce609c354fbbab4ca3c7f0f7b7b2d8fbde32b4820b8977

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5759318.exe

Filesize
475KB

MD5
28c0b1f33aefc4b339a093ecc5856956

SHA1
d0338560380da9b3bf31dbf836966b69cde37bab

SHA256
786752eae6d5183919af4e9cdeffca4e27c79b81f8e70d1c5c3fbeae1f1eff99

SHA512
f92d083367d4f0572a4f3cdeb0c93717a6ab63a9323f1d0ad0de125e1ddaa260b7cdfd9856fdc9f974ce609c354fbbab4ca3c7f0f7b7b2d8fbde32b4820b8977

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9624481.exe

Filesize
11KB

MD5
19c22162fd676451e1967474a4076e6f

SHA1
87d8fb1eb1b75c81977dbd83a6cf860e93379387

SHA256
00279d7287a94179b005376b0d03f5e6ee190f259a8f48954bbb20ced05c3f9c

SHA512
f305788720bc0ca21ffa431e5041a33ed45aecfee712af6276beb316028592afaf4c085cbce963e43544937454e5f65627413b12dd726311c77070f2cc4cb1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9624481.exe

Filesize
11KB

MD5
19c22162fd676451e1967474a4076e6f

SHA1
87d8fb1eb1b75c81977dbd83a6cf860e93379387

SHA256
00279d7287a94179b005376b0d03f5e6ee190f259a8f48954bbb20ced05c3f9c

SHA512
f305788720bc0ca21ffa431e5041a33ed45aecfee712af6276beb316028592afaf4c085cbce963e43544937454e5f65627413b12dd726311c77070f2cc4cb1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1073502.exe

Filesize
1.0MB

MD5
25e7ce7a4be831c472d209125ca8108d

SHA1
a73362d1e402507a1ec11b9e0b8f618c444ed409

SHA256
5eb95321b00a471b80c2f8d98c53e3dc142932cbcbba88299da8cfba62edf3d0

SHA512
26e6bbbe77a5815536dc7883576b91b5cec63678a0202916929ea23858c3b68a73886b6c09e47fd2c816f50aced2606f59c050cf059a4b86116d6e10ce118d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1073502.exe

Filesize
1.0MB

MD5
25e7ce7a4be831c472d209125ca8108d

SHA1
a73362d1e402507a1ec11b9e0b8f618c444ed409

SHA256
5eb95321b00a471b80c2f8d98c53e3dc142932cbcbba88299da8cfba62edf3d0

SHA512
26e6bbbe77a5815536dc7883576b91b5cec63678a0202916929ea23858c3b68a73886b6c09e47fd2c816f50aced2606f59c050cf059a4b86116d6e10ce118d97

Download Submit
memory/2144-35-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/2144-36-0x00007FFE4D330000-0x00007FFE4DD1C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-38-0x00007FFE4D330000-0x00007FFE4DD1C000-memory.dmp

Filesize
9.9MB

Download
memory/4956-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4956-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4956-46-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4956-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download