healer | a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8

Analysis

max time kernel
126s
max time network
134s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
22/09/2023, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe
Size

1.1MB
MD5

5a8c0eae3553c80b57a9914a48facc85
SHA1

3b1c50bbced02507c2723a5e132e7be562fb14bc
SHA256

a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8
SHA512

08ddba5fce4cef2c55e74983358c8f4a9d8f4f4f9c8dc32340066dde3fd84725339561be8340daae1d47b5cb42ae04baeb0d12ed26241337a4cfd5281522d9fd
SSDEEP

24576:wyn95toiT+xnvRpTcPCFXzotnbYcq1WJnKZAt2VuKyS5o2qz:3n97oZvRpg6FXzdcq15ZAt2AKR0

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af81-32.dat	healer
behavioral1/files/0x000700000001af81-34.dat	healer
behavioral1/memory/312-35-0x0000000000040000-0x000000000004A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6280298.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6280298.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6280298.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6280298.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6280298.exe

Executes dropped EXE 6 IoCs

pid	Process
4324	z5697309.exe
2320	z9116776.exe
4512	z2442791.exe
3664	z9022901.exe
312	q6280298.exe
2880	r2344212.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6280298.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9116776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2442791.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9022901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5697309.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 3928	2880	r2344212.exe	78

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3132	2880	WerFault.exe	75
4132	3928	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
312	q6280298.exe
312	q6280298.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	312	q6280298.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 4324	3316	a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe	70
PID 3316 wrote to memory of 4324	3316	a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe	70
PID 3316 wrote to memory of 4324	3316	a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe	70
PID 4324 wrote to memory of 2320	4324	z5697309.exe	71
PID 4324 wrote to memory of 2320	4324	z5697309.exe	71
PID 4324 wrote to memory of 2320	4324	z5697309.exe	71
PID 2320 wrote to memory of 4512	2320	z9116776.exe	72
PID 2320 wrote to memory of 4512	2320	z9116776.exe	72
PID 2320 wrote to memory of 4512	2320	z9116776.exe	72
PID 4512 wrote to memory of 3664	4512	z2442791.exe	73
PID 4512 wrote to memory of 3664	4512	z2442791.exe	73
PID 4512 wrote to memory of 3664	4512	z2442791.exe	73
PID 3664 wrote to memory of 312	3664	z9022901.exe	74
PID 3664 wrote to memory of 312	3664	z9022901.exe	74
PID 3664 wrote to memory of 2880	3664	z9022901.exe	75
PID 3664 wrote to memory of 2880	3664	z9022901.exe	75
PID 3664 wrote to memory of 2880	3664	z9022901.exe	75
PID 2880 wrote to memory of 4308	2880	r2344212.exe	77
PID 2880 wrote to memory of 4308	2880	r2344212.exe	77
PID 2880 wrote to memory of 4308	2880	r2344212.exe	77
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78
PID 2880 wrote to memory of 3928	2880	r2344212.exe	78

C:\Users\Admin\AppData\Local\Temp\a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe
"C:\Users\Admin\AppData\Local\Temp\a76be79001579a1131b180709c83005caff2ed645a3a676595f428867d37f9d8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5697309.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5697309.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9116776.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9116776.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2442791.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2442791.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9022901.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9022901.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3664
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6280298.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6280298.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2344212.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2344212.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 568
        8⤵
        Program crash
        
        PID:4132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 160
        7⤵
        Program crash
        
        PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5697309.exe

Filesize
1.0MB

MD5
f616e08f5fcb82a823a9ec0560fe32a6

SHA1
db0bbf512621e8b4d898900f73484793dbea09a3

SHA256
1e0d930be55cf5775eb2a6fe9883fb3b0870872f74d27bf92e6b2198c556cc9f

SHA512
033fa1256b75f5a869e4f064224d27fbd01b69eca6db59fada80d06c815808714f7597ea2e9b9daaf824d38b227c339ac0d117aa52015a78acf62f7fa126fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5697309.exe

Filesize
1.0MB

MD5
f616e08f5fcb82a823a9ec0560fe32a6

SHA1
db0bbf512621e8b4d898900f73484793dbea09a3

SHA256
1e0d930be55cf5775eb2a6fe9883fb3b0870872f74d27bf92e6b2198c556cc9f

SHA512
033fa1256b75f5a869e4f064224d27fbd01b69eca6db59fada80d06c815808714f7597ea2e9b9daaf824d38b227c339ac0d117aa52015a78acf62f7fa126fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9116776.exe

Filesize
873KB

MD5
84bf006267b85f9b2c1bdc2ddd2fd98d

SHA1
7910ae594d75d2e504db6e9130d9042653f66beb

SHA256
a8cb7ec5c8f628378160a51432b3622be208c1478ca6eba003277521b58b2afb

SHA512
e07227a39614ab20074eafea93c1625673a0483f9eecccc645cbb5c342f8844232ae85b1f8c8a79cd0c84614ba6ba6cb09a4dd951a9cdc787b5a39fa0ec07085

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9116776.exe

Filesize
873KB

MD5
84bf006267b85f9b2c1bdc2ddd2fd98d

SHA1
7910ae594d75d2e504db6e9130d9042653f66beb

SHA256
a8cb7ec5c8f628378160a51432b3622be208c1478ca6eba003277521b58b2afb

SHA512
e07227a39614ab20074eafea93c1625673a0483f9eecccc645cbb5c342f8844232ae85b1f8c8a79cd0c84614ba6ba6cb09a4dd951a9cdc787b5a39fa0ec07085

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2442791.exe

Filesize
690KB

MD5
51b8384ab5a3aeddb592186d50a81f5d

SHA1
9f5a12de0abf225f13bd01f549931ebf43e8a144

SHA256
3e9f4414f42a9067310fa95bdd062408576820f44a638e341112bdd41939bee2

SHA512
f254c79fbe5c944e5773eafdd385db017e8cdf1f212ab28bf621f148535bfd95d7d2dcbc654a8356e9d541d9c94fcdd3cda04fe148ea9d518abed953f4cde1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2442791.exe

Filesize
690KB

MD5
51b8384ab5a3aeddb592186d50a81f5d

SHA1
9f5a12de0abf225f13bd01f549931ebf43e8a144

SHA256
3e9f4414f42a9067310fa95bdd062408576820f44a638e341112bdd41939bee2

SHA512
f254c79fbe5c944e5773eafdd385db017e8cdf1f212ab28bf621f148535bfd95d7d2dcbc654a8356e9d541d9c94fcdd3cda04fe148ea9d518abed953f4cde1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9022901.exe

Filesize
387KB

MD5
f776f15d766a47ef6a128a1a7792b932

SHA1
c95813f6c0156c78e7c25e93d411c32012817693

SHA256
002bb43f39d1d1ffe585bc7fb9fcf6eecaf99df42a5561c6e600d17c88b00b08

SHA512
b714b99da0325736a6297a5693cbafbf8f6b2fd2fe07ca422601e5c5286b76b3a4b007d19b6b22d0f97c1f3366d55a2f4d7040679318911cf12a2ed76d5f847d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9022901.exe

Filesize
387KB

MD5
f776f15d766a47ef6a128a1a7792b932

SHA1
c95813f6c0156c78e7c25e93d411c32012817693

SHA256
002bb43f39d1d1ffe585bc7fb9fcf6eecaf99df42a5561c6e600d17c88b00b08

SHA512
b714b99da0325736a6297a5693cbafbf8f6b2fd2fe07ca422601e5c5286b76b3a4b007d19b6b22d0f97c1f3366d55a2f4d7040679318911cf12a2ed76d5f847d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6280298.exe

Filesize
11KB

MD5
ea640d24b39ac16baf18e6ede52f0b04

SHA1
7eb7877e7f67d88921dfe90b0c8d01a798b15351

SHA256
8307360f88263280eedc76e1b1b05dbb8e3ef2ab2bab34b8fd5288ad02e42d09

SHA512
5668a57c324e2539d948737f058a7f84d36fe10e7c5f3ee3e9b081f7888f58ab589a287177876e8fa6480cae7d55de481d78fb5fe7bc7e6e79d114b679f28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6280298.exe

Filesize
11KB

MD5
ea640d24b39ac16baf18e6ede52f0b04

SHA1
7eb7877e7f67d88921dfe90b0c8d01a798b15351

SHA256
8307360f88263280eedc76e1b1b05dbb8e3ef2ab2bab34b8fd5288ad02e42d09

SHA512
5668a57c324e2539d948737f058a7f84d36fe10e7c5f3ee3e9b081f7888f58ab589a287177876e8fa6480cae7d55de481d78fb5fe7bc7e6e79d114b679f28419

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2344212.exe

Filesize
700KB

MD5
bd741e51cacfa812723b0c61027715ce

SHA1
500099912fb3b1aea3cd88ff0a1acf9f161f0635

SHA256
c29a7526c6a6c4adcb4e2c0b4b315c59275eb9209c4d5af74998681ed0fd0d9c

SHA512
a0b8cc873aeb5f1f9fd4825f9b14129e1d54ab2e8b8c6ad0b85b0ac2ac83d2a6198649b2c8a9961adbdf04b1dcbcd22ac533920fe864164cd1ed46263d591086

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2344212.exe

Filesize
700KB

MD5
bd741e51cacfa812723b0c61027715ce

SHA1
500099912fb3b1aea3cd88ff0a1acf9f161f0635

SHA256
c29a7526c6a6c4adcb4e2c0b4b315c59275eb9209c4d5af74998681ed0fd0d9c

SHA512
a0b8cc873aeb5f1f9fd4825f9b14129e1d54ab2e8b8c6ad0b85b0ac2ac83d2a6198649b2c8a9961adbdf04b1dcbcd22ac533920fe864164cd1ed46263d591086

Download Submit
memory/312-35-0x0000000000040000-0x000000000004A000-memory.dmp

Filesize
40KB

Download
memory/312-36-0x00007FFC9A230000-0x00007FFC9AC1C000-memory.dmp

Filesize
9.9MB

Download
memory/312-38-0x00007FFC9A230000-0x00007FFC9AC1C000-memory.dmp

Filesize
9.9MB

Download
memory/3928-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-46-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download