healer | 6ee62187d822d8f0a8136a48874aab4b6892bf6804b5d5f294e17e9018bd0a15

Analysis

max time kernel
122s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
22/09/2023, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ee62187d822d8f0a8136a48874aab4b6892bf6804b5d5f294e17e9018bd0a15.exe
Size

1.1MB
MD5

86cce3df19d7435978f2755ba5a054f2
SHA1

eb78f26da3413745e1c9f5b4ce1fbdafcd2d9a6b
SHA256

6ee62187d822d8f0a8136a48874aab4b6892bf6804b5d5f294e17e9018bd0a15
SHA512

5f28506d0f012b5ef3876a80bd71ee3c3a537a3faf5b4daa4002ed90b51621af8e34f9bb0931c0d29baa17a8a4fad99b9014fbfa3211e7daaca5cbef4ed85c0d
SSDEEP

24576:byNf7DpKAsyjbssEXUWdQ4TYJf5WiEVs16dWQ7x:ONjYEbbvW38Jf5WfeyWQ7

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afed-33.dat	healer
behavioral1/files/0x000700000001afed-34.dat	healer
behavioral1/memory/2580-35-0x0000000000770000-0x000000000077A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q3104382.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q3104382.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q3104382.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q3104382.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q3104382.exe

Executes dropped EXE 6 IoCs

pid	Process
3464	z1282574.exe
3068	z5855069.exe
4656	z1239987.exe
4584	z9871237.exe
2580	q3104382.exe
224	r0944788.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q3104382.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6ee62187d822d8f0a8136a48874aab4b6892bf6804b5d5f294e17e9018bd0a15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1282574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5855069.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1239987.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9871237.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 224 set thread context of 2376	224	r0944788.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4568	224	WerFault.exe	75
1584	2376	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2580	q3104382.exe
2580	q3104382.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	q3104382.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 3464	708	6ee62187d822d8f0a8136a48874aab4b6892bf6804b5d5f294e17e9018bd0a15.exe	70
PID 708 wrote to memory of 3464	708	6ee62187d822d8f0a8136a48874aab4b6892bf6804b5d5f294e17e9018bd0a15.exe	70
PID 708 wrote to memory of 3464	708	6ee62187d822d8f0a8136a48874aab4b6892bf6804b5d5f294e17e9018bd0a15.exe	70
PID 3464 wrote to memory of 3068	3464	z1282574.exe	71
PID 3464 wrote to memory of 3068	3464	z1282574.exe	71
PID 3464 wrote to memory of 3068	3464	z1282574.exe	71
PID 3068 wrote to memory of 4656	3068	z5855069.exe	72
PID 3068 wrote to memory of 4656	3068	z5855069.exe	72
PID 3068 wrote to memory of 4656	3068	z5855069.exe	72
PID 4656 wrote to memory of 4584	4656	z1239987.exe	73
PID 4656 wrote to memory of 4584	4656	z1239987.exe	73
PID 4656 wrote to memory of 4584	4656	z1239987.exe	73
PID 4584 wrote to memory of 2580	4584	z9871237.exe	74
PID 4584 wrote to memory of 2580	4584	z9871237.exe	74
PID 4584 wrote to memory of 224	4584	z9871237.exe	75
PID 4584 wrote to memory of 224	4584	z9871237.exe	75
PID 4584 wrote to memory of 224	4584	z9871237.exe	75
PID 224 wrote to memory of 2376	224	r0944788.exe	76
PID 224 wrote to memory of 2376	224	r0944788.exe	76
PID 224 wrote to memory of 2376	224	r0944788.exe	76
PID 224 wrote to memory of 2376	224	r0944788.exe	76
PID 224 wrote to memory of 2376	224	r0944788.exe	76
PID 224 wrote to memory of 2376	224	r0944788.exe	76
PID 224 wrote to memory of 2376	224	r0944788.exe	76
PID 224 wrote to memory of 2376	224	r0944788.exe	76
PID 224 wrote to memory of 2376	224	r0944788.exe	76
PID 224 wrote to memory of 2376	224	r0944788.exe	76

C:\Users\Admin\AppData\Local\Temp\6ee62187d822d8f0a8136a48874aab4b6892bf6804b5d5f294e17e9018bd0a15.exe
"C:\Users\Admin\AppData\Local\Temp\6ee62187d822d8f0a8136a48874aab4b6892bf6804b5d5f294e17e9018bd0a15.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1282574.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1282574.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855069.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855069.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1239987.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1239987.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9871237.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9871237.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3104382.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3104382.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0944788.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0944788.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 568
        8⤵
        Program crash
        
        PID:1584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 552
        7⤵
        Program crash
        
        PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1282574.exe

Filesize
978KB

MD5
38863fcb503233b7387c1d3fd583dedc

SHA1
b25cf50a0e1f1f501441576edb52aee4e9cd75d2

SHA256
6e98f737144aaf4d7aa77fe61efd51596c3f028d9d6335baca5622df5cfb569d

SHA512
f6d9bb638dadc237de2d1495b7f483998034ff2ab72fa08bf7c65965832fb93ee83f797fea60ed94973c2a55d9d90d2538b25fd5e9d6820d9fcb0dd2c2b7c775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1282574.exe

Filesize
978KB

MD5
38863fcb503233b7387c1d3fd583dedc

SHA1
b25cf50a0e1f1f501441576edb52aee4e9cd75d2

SHA256
6e98f737144aaf4d7aa77fe61efd51596c3f028d9d6335baca5622df5cfb569d

SHA512
f6d9bb638dadc237de2d1495b7f483998034ff2ab72fa08bf7c65965832fb93ee83f797fea60ed94973c2a55d9d90d2538b25fd5e9d6820d9fcb0dd2c2b7c775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855069.exe

Filesize
795KB

MD5
ef994228d832c71ef4b3d3f2b0b93563

SHA1
ea40bab7de724dffda1b1dd8d1e898d3bea85f6c

SHA256
406d0947e95e2d7a0d88fe467306be7b103a00c10f7c900bfe05af1f447ec730

SHA512
ef97e5a243f150ffc2a322e2346439da408dbfc657b2f3028f3ade964b7289f6252714a8e7858aa91edb842ac7cc18397de26abc51c7d6e2b169376fc98ba432

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855069.exe

Filesize
795KB

MD5
ef994228d832c71ef4b3d3f2b0b93563

SHA1
ea40bab7de724dffda1b1dd8d1e898d3bea85f6c

SHA256
406d0947e95e2d7a0d88fe467306be7b103a00c10f7c900bfe05af1f447ec730

SHA512
ef97e5a243f150ffc2a322e2346439da408dbfc657b2f3028f3ade964b7289f6252714a8e7858aa91edb842ac7cc18397de26abc51c7d6e2b169376fc98ba432

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1239987.exe

Filesize
612KB

MD5
db821fd64889f4fb3b1a30821e0974c5

SHA1
507872e47edf7a93c980fd97c5c74b5b823960fb

SHA256
b912e4d1e4f953d3f6b4dce124d6943c8d5a7e7bb2b687e828aa27fdc105e8bd

SHA512
14860cf25bfcb539ea0d0ef36d6831898fb49a5ea0865ef75506426cd834dbd1253872cf0cb81b54fb1accf1a750925c9b401d71a054270cb1a7c70fdda74080

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1239987.exe

Filesize
612KB

MD5
db821fd64889f4fb3b1a30821e0974c5

SHA1
507872e47edf7a93c980fd97c5c74b5b823960fb

SHA256
b912e4d1e4f953d3f6b4dce124d6943c8d5a7e7bb2b687e828aa27fdc105e8bd

SHA512
14860cf25bfcb539ea0d0ef36d6831898fb49a5ea0865ef75506426cd834dbd1253872cf0cb81b54fb1accf1a750925c9b401d71a054270cb1a7c70fdda74080

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9871237.exe

Filesize
348KB

MD5
af788154b1a5ce7b7538de6bb715d172

SHA1
c4200e85ec492bbe454f6dd94c08246237218fb2

SHA256
c8a08fa4c4a58d77d8a6f95676851eba51167df6bb0e1c0fe7f1a5fb5a754257

SHA512
1d4614a6e60ff057294a2ae018a72fe2da397f7fe01c921a04d5fcafda1bfd2f43659ecd223e9642829a600b7c2b025a57e6ce3633a365dea6697240e882746d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9871237.exe

Filesize
348KB

MD5
af788154b1a5ce7b7538de6bb715d172

SHA1
c4200e85ec492bbe454f6dd94c08246237218fb2

SHA256
c8a08fa4c4a58d77d8a6f95676851eba51167df6bb0e1c0fe7f1a5fb5a754257

SHA512
1d4614a6e60ff057294a2ae018a72fe2da397f7fe01c921a04d5fcafda1bfd2f43659ecd223e9642829a600b7c2b025a57e6ce3633a365dea6697240e882746d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3104382.exe

Filesize
11KB

MD5
66233842cc4c6ffb85b56e67fece2373

SHA1
b38277717a66492ca9aa822ba760d26940bc5767

SHA256
d8d32c4b550eeb5c689f1424191f48be89b07453b0ca5753f4d19a544ebc0123

SHA512
8c7029f9079df2a839eb402c80b8656800ff07a5341930bc5f04494c1ae6777e35644c350ec6a45ffba4c34d1168416ed9ac9c351022241ef5371b08eff2c809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3104382.exe

Filesize
11KB

MD5
66233842cc4c6ffb85b56e67fece2373

SHA1
b38277717a66492ca9aa822ba760d26940bc5767

SHA256
d8d32c4b550eeb5c689f1424191f48be89b07453b0ca5753f4d19a544ebc0123

SHA512
8c7029f9079df2a839eb402c80b8656800ff07a5341930bc5f04494c1ae6777e35644c350ec6a45ffba4c34d1168416ed9ac9c351022241ef5371b08eff2c809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0944788.exe

Filesize
378KB

MD5
0d3418f880ec81f4e8aa8488e01cc8ca

SHA1
058584a8bdcf874f8756fc7d1c6f5665889d0c4d

SHA256
291f9d817df47b3e24b2cbec5f5d15a4ccb39da8947fa533903c748939eeb0bb

SHA512
c8e4de6ce61e64124926e3531aa48aa879d87567215d005708690a6aa8a3a4120ccfc4ee6ca898c1aa3392defea9b866bffb94635c1fc593e51541d68b72506d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0944788.exe

Filesize
378KB

MD5
0d3418f880ec81f4e8aa8488e01cc8ca

SHA1
058584a8bdcf874f8756fc7d1c6f5665889d0c4d

SHA256
291f9d817df47b3e24b2cbec5f5d15a4ccb39da8947fa533903c748939eeb0bb

SHA512
c8e4de6ce61e64124926e3531aa48aa879d87567215d005708690a6aa8a3a4120ccfc4ee6ca898c1aa3392defea9b866bffb94635c1fc593e51541d68b72506d

Download Submit
memory/2376-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-46-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-35-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/2580-36-0x00007FFFC4560000-0x00007FFFC4F4C000-memory.dmp

Filesize
9.9MB

Download
memory/2580-38-0x00007FFFC4560000-0x00007FFFC4F4C000-memory.dmp

Filesize
9.9MB

Download