healer | 404da6994679a07cf6d7b4b4c025192cf3577921a8e29fd900ae5db2d20a268d

Analysis

max time kernel
127s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
21/09/2023, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

404da6994679a07cf6d7b4b4c025192cf3577921a8e29fd900ae5db2d20a268d.exe
Size

1.1MB
MD5

58a28aac8e73562d5ff97b2b980b6dba
SHA1

117af2abc9041df0fb7b430c63ab0a9727d6de5c
SHA256

404da6994679a07cf6d7b4b4c025192cf3577921a8e29fd900ae5db2d20a268d
SHA512

51e2ce36be11800f234c102c71a053fd176a1a7424cdce473331a8fb1a999d4120e5aaefedbe0db48798333cad4958146afe1fb5a1c6d0fd70086df783bcaa9a
SSDEEP

24576:nyKY4kxZ64z/jy4M/MveR6w2KEiFQug9CEaOAEEo:y8kGj44vRLwiFQP9CENAEE

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afcd-33.dat	healer
behavioral1/files/0x000700000001afcd-34.dat	healer
behavioral1/memory/2304-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q3486370.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q3486370.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q3486370.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q3486370.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q3486370.exe

Executes dropped EXE 6 IoCs

pid	Process
4944	z9153754.exe
1604	z5566633.exe
2424	z5285526.exe
1768	z9159245.exe
2304	q3486370.exe
4904	r7660728.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q3486370.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	404da6994679a07cf6d7b4b4c025192cf3577921a8e29fd900ae5db2d20a268d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9153754.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5566633.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5285526.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9159245.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4904 set thread context of 2036	4904	r7660728.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4416	4904	WerFault.exe	75
4728	2036	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2304	q3486370.exe
2304	q3486370.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	q3486370.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4944	3996	404da6994679a07cf6d7b4b4c025192cf3577921a8e29fd900ae5db2d20a268d.exe	70
PID 3996 wrote to memory of 4944	3996	404da6994679a07cf6d7b4b4c025192cf3577921a8e29fd900ae5db2d20a268d.exe	70
PID 3996 wrote to memory of 4944	3996	404da6994679a07cf6d7b4b4c025192cf3577921a8e29fd900ae5db2d20a268d.exe	70
PID 4944 wrote to memory of 1604	4944	z9153754.exe	71
PID 4944 wrote to memory of 1604	4944	z9153754.exe	71
PID 4944 wrote to memory of 1604	4944	z9153754.exe	71
PID 1604 wrote to memory of 2424	1604	z5566633.exe	72
PID 1604 wrote to memory of 2424	1604	z5566633.exe	72
PID 1604 wrote to memory of 2424	1604	z5566633.exe	72
PID 2424 wrote to memory of 1768	2424	z5285526.exe	73
PID 2424 wrote to memory of 1768	2424	z5285526.exe	73
PID 2424 wrote to memory of 1768	2424	z5285526.exe	73
PID 1768 wrote to memory of 2304	1768	z9159245.exe	74
PID 1768 wrote to memory of 2304	1768	z9159245.exe	74
PID 1768 wrote to memory of 4904	1768	z9159245.exe	75
PID 1768 wrote to memory of 4904	1768	z9159245.exe	75
PID 1768 wrote to memory of 4904	1768	z9159245.exe	75
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77
PID 4904 wrote to memory of 2036	4904	r7660728.exe	77

C:\Users\Admin\AppData\Local\Temp\404da6994679a07cf6d7b4b4c025192cf3577921a8e29fd900ae5db2d20a268d.exe
"C:\Users\Admin\AppData\Local\Temp\404da6994679a07cf6d7b4b4c025192cf3577921a8e29fd900ae5db2d20a268d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9153754.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9153754.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5566633.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5566633.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5285526.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5285526.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9159245.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9159245.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3486370.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3486370.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7660728.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7660728.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 200
        8⤵
        Program crash
        
        PID:4728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 572
        7⤵
        Program crash
        
        PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9153754.exe

Filesize
1.0MB

MD5
154e75631b9b642c2446b6fdfc82db79

SHA1
a2470cc3eb6cd5beffb856e0d5398ed40433e412

SHA256
bcdddf17e763afc05654b8c55ad4200c3f2a365292f910afe1b040d220423dfe

SHA512
ccfb5aec50eda7e5695b8fa4802a3f953393ac550027b420f63b9d682a797361e0344d6b47541c349689ba42d3911660c5e0eefee83bcbe1309a32e6659b4b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9153754.exe

Filesize
1.0MB

MD5
154e75631b9b642c2446b6fdfc82db79

SHA1
a2470cc3eb6cd5beffb856e0d5398ed40433e412

SHA256
bcdddf17e763afc05654b8c55ad4200c3f2a365292f910afe1b040d220423dfe

SHA512
ccfb5aec50eda7e5695b8fa4802a3f953393ac550027b420f63b9d682a797361e0344d6b47541c349689ba42d3911660c5e0eefee83bcbe1309a32e6659b4b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5566633.exe

Filesize
874KB

MD5
6a69cd547df944fb159b9bc6784b2dd5

SHA1
a7d98c8b55d3972ac37a53d932064dfb678e87ea

SHA256
6e9cb6ea505bf416438af3b0ef40b9ea9c9802b031a4366982dd2735db51aaa8

SHA512
13ab9189bd56f977fb0892cb4f47624c8eadf92368e50e5b94f7613a70a191b4dd4df4074be363fca57ab47a4c5524bb8456b5ef2d535c1e99edc4d53e14d7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5566633.exe

Filesize
874KB

MD5
6a69cd547df944fb159b9bc6784b2dd5

SHA1
a7d98c8b55d3972ac37a53d932064dfb678e87ea

SHA256
6e9cb6ea505bf416438af3b0ef40b9ea9c9802b031a4366982dd2735db51aaa8

SHA512
13ab9189bd56f977fb0892cb4f47624c8eadf92368e50e5b94f7613a70a191b4dd4df4074be363fca57ab47a4c5524bb8456b5ef2d535c1e99edc4d53e14d7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5285526.exe

Filesize
691KB

MD5
4eb8a7a13d10c533a4cdb9e606c5b346

SHA1
f93620c2092490a1f017ea4cda69561d815e3ed4

SHA256
01b0ea3f8f0b58d6e22c158d96627e4b7d6272f6faba03bd850cb0684b056526

SHA512
ac4bdc5aadcb2183da960a863a87bf30abf96b9ff0cad7234d6440cd0e4665af75aecf8d87e92d3494099344667229a7a3ec311d5a65f9f04a7b958309fd3eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5285526.exe

Filesize
691KB

MD5
4eb8a7a13d10c533a4cdb9e606c5b346

SHA1
f93620c2092490a1f017ea4cda69561d815e3ed4

SHA256
01b0ea3f8f0b58d6e22c158d96627e4b7d6272f6faba03bd850cb0684b056526

SHA512
ac4bdc5aadcb2183da960a863a87bf30abf96b9ff0cad7234d6440cd0e4665af75aecf8d87e92d3494099344667229a7a3ec311d5a65f9f04a7b958309fd3eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9159245.exe

Filesize
387KB

MD5
ca330145a087e4457f394f0431a549ce

SHA1
dde6bf2b10ab8416c7280d1b6f4000a232a8e39e

SHA256
e3c2588cbc260085dcdab681225419d6e0de47c8108b8bfbc831fe2814bccde2

SHA512
d7d0f58e4a4e7346a371c7a34a3e7c4d500f0f4c522075a6fbe6b8b91eb7bcf472711c2990ec16a825ade06048eef93259b664343513525d814c6e91c1de18b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9159245.exe

Filesize
387KB

MD5
ca330145a087e4457f394f0431a549ce

SHA1
dde6bf2b10ab8416c7280d1b6f4000a232a8e39e

SHA256
e3c2588cbc260085dcdab681225419d6e0de47c8108b8bfbc831fe2814bccde2

SHA512
d7d0f58e4a4e7346a371c7a34a3e7c4d500f0f4c522075a6fbe6b8b91eb7bcf472711c2990ec16a825ade06048eef93259b664343513525d814c6e91c1de18b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3486370.exe

Filesize
11KB

MD5
7e55f8743ecae8db17206b194a5f6046

SHA1
4c09aa829b2831c3720f399bcf7bb48bbc6b8c4f

SHA256
c0f6efa313868cde8ef3c08909c4c35f56c19f0bef2e75672e76d25c02b33c8f

SHA512
899101046ea723bd820d86f56d854278c7dbe1c20007c53d068a306ff90607ef54417a6775f20573184936be69628db4776da78f1c7d3cc2b7f1a7cb1cf06e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3486370.exe

Filesize
11KB

MD5
7e55f8743ecae8db17206b194a5f6046

SHA1
4c09aa829b2831c3720f399bcf7bb48bbc6b8c4f

SHA256
c0f6efa313868cde8ef3c08909c4c35f56c19f0bef2e75672e76d25c02b33c8f

SHA512
899101046ea723bd820d86f56d854278c7dbe1c20007c53d068a306ff90607ef54417a6775f20573184936be69628db4776da78f1c7d3cc2b7f1a7cb1cf06e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7660728.exe

Filesize
700KB

MD5
3bd788a3d0dc83cdfe8aa0f0f08f8c5d

SHA1
aa6861406fd316f255e11e34d4214f04d492ae8b

SHA256
dbbeb8f6930fea3ff848d6066f36a2c628c3f5efcad282b5af38a911a8be768d

SHA512
8708b4312dcd988492c4c2049fbdb1d5808fef49cc1a3ed33dc7327af159d47f8af64ae41c695b4fe6deb0e478416cc9e69aa44f9309ad7fa6d6c47658312346

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7660728.exe

Filesize
700KB

MD5
3bd788a3d0dc83cdfe8aa0f0f08f8c5d

SHA1
aa6861406fd316f255e11e34d4214f04d492ae8b

SHA256
dbbeb8f6930fea3ff848d6066f36a2c628c3f5efcad282b5af38a911a8be768d

SHA512
8708b4312dcd988492c4c2049fbdb1d5808fef49cc1a3ed33dc7327af159d47f8af64ae41c695b4fe6deb0e478416cc9e69aa44f9309ad7fa6d6c47658312346

Download Submit
memory/2036-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-46-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2304-36-0x00007FFCD57F0000-0x00007FFCD61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-38-0x00007FFCD57F0000-0x00007FFCD61DC000-memory.dmp

Filesize
9.9MB

Download