healer | ccdf1960aaf20254d282799a321d6d2b64a0e497c8a166d10751b1b7b65f8071

Analysis

max time kernel
125s
max time network
133s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
22/09/2023, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccdf1960aaf20254d282799a321d6d2b64a0e497c8a166d10751b1b7b65f8071.exe
Size

1.1MB
MD5

ce179af2d7b69dd8b917cbcc939ba471
SHA1

1460f6a9cd13642832ea40d21c80ab9566cd9bd9
SHA256

ccdf1960aaf20254d282799a321d6d2b64a0e497c8a166d10751b1b7b65f8071
SHA512

324bbae6c8d5a67a411df165f56740f2857b7954ebbb017168c433604395022dd9a09af2fceb465e037357c5eec382865c818470b327f65a14493e75b40716f6
SSDEEP

24576:ByffEcfpAkQOm7STRz5XCqAbzKoWLmlZnVRLWN:0ffEQqTSh55YkqlLRL

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b005-33.dat	healer
behavioral1/files/0x000700000001b005-34.dat	healer
behavioral1/memory/2704-35-0x00000000007F0000-0x00000000007FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6797162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6797162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6797162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6797162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6797162.exe

Executes dropped EXE 6 IoCs

pid	Process
1164	z5487474.exe
2532	z0520494.exe
1168	z3604877.exe
4244	z0840782.exe
2704	q6797162.exe
5028	r5568890.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6797162.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0840782.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ccdf1960aaf20254d282799a321d6d2b64a0e497c8a166d10751b1b7b65f8071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5487474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0520494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3604877.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5028 set thread context of 2720	5028	r5568890.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1172	5028	WerFault.exe	75
232	2720	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	q6797162.exe
2704	q6797162.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	q6797162.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1164	4768	ccdf1960aaf20254d282799a321d6d2b64a0e497c8a166d10751b1b7b65f8071.exe	70
PID 4768 wrote to memory of 1164	4768	ccdf1960aaf20254d282799a321d6d2b64a0e497c8a166d10751b1b7b65f8071.exe	70
PID 4768 wrote to memory of 1164	4768	ccdf1960aaf20254d282799a321d6d2b64a0e497c8a166d10751b1b7b65f8071.exe	70
PID 1164 wrote to memory of 2532	1164	z5487474.exe	71
PID 1164 wrote to memory of 2532	1164	z5487474.exe	71
PID 1164 wrote to memory of 2532	1164	z5487474.exe	71
PID 2532 wrote to memory of 1168	2532	z0520494.exe	72
PID 2532 wrote to memory of 1168	2532	z0520494.exe	72
PID 2532 wrote to memory of 1168	2532	z0520494.exe	72
PID 1168 wrote to memory of 4244	1168	z3604877.exe	73
PID 1168 wrote to memory of 4244	1168	z3604877.exe	73
PID 1168 wrote to memory of 4244	1168	z3604877.exe	73
PID 4244 wrote to memory of 2704	4244	z0840782.exe	74
PID 4244 wrote to memory of 2704	4244	z0840782.exe	74
PID 4244 wrote to memory of 5028	4244	z0840782.exe	75
PID 4244 wrote to memory of 5028	4244	z0840782.exe	75
PID 4244 wrote to memory of 5028	4244	z0840782.exe	75
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76
PID 5028 wrote to memory of 2720	5028	r5568890.exe	76

C:\Users\Admin\AppData\Local\Temp\ccdf1960aaf20254d282799a321d6d2b64a0e497c8a166d10751b1b7b65f8071.exe
"C:\Users\Admin\AppData\Local\Temp\ccdf1960aaf20254d282799a321d6d2b64a0e497c8a166d10751b1b7b65f8071.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5487474.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5487474.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0520494.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0520494.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3604877.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3604877.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0840782.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0840782.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6797162.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6797162.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5568890.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5568890.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 192
        8⤵
        Program crash
        
        PID:232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 580
        7⤵
        Program crash
        
        PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5487474.exe

Filesize
979KB

MD5
7e2c9528780bec0faa450830cbb24e8f

SHA1
013b55f6ad2d2330e4ddb778b87aa4cd8628dd20

SHA256
850e47a477220f739afe02d40bfc5a629b498122594afb383233e5c01fc01cbe

SHA512
a2c208133a7799c8264ac874dff264789be3a8ee4dbcb50f98a66914d60ec79e5e1beb380037d1e72e79cadc53014d9f25186e288f5296a18320f412767e09c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5487474.exe

Filesize
979KB

MD5
7e2c9528780bec0faa450830cbb24e8f

SHA1
013b55f6ad2d2330e4ddb778b87aa4cd8628dd20

SHA256
850e47a477220f739afe02d40bfc5a629b498122594afb383233e5c01fc01cbe

SHA512
a2c208133a7799c8264ac874dff264789be3a8ee4dbcb50f98a66914d60ec79e5e1beb380037d1e72e79cadc53014d9f25186e288f5296a18320f412767e09c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0520494.exe

Filesize
796KB

MD5
dfc11af5638a758aeecbd4e449ddbad2

SHA1
2bc5c14462f2e4fc04c0f5aa70a95f3d141d4709

SHA256
6b0bacb60aefc1d14c8ca619568e4b911c3fd6c04a7959781bfe6941a25e77ba

SHA512
8b3394e17738463ba7fed8fbcf8fa1b8fcb8aa10896c59d8b997d4d5a566da4a3d043292503ef9b51f9c7d35463b8cf43b94707b6e054f5ca45a11797855d9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0520494.exe

Filesize
796KB

MD5
dfc11af5638a758aeecbd4e449ddbad2

SHA1
2bc5c14462f2e4fc04c0f5aa70a95f3d141d4709

SHA256
6b0bacb60aefc1d14c8ca619568e4b911c3fd6c04a7959781bfe6941a25e77ba

SHA512
8b3394e17738463ba7fed8fbcf8fa1b8fcb8aa10896c59d8b997d4d5a566da4a3d043292503ef9b51f9c7d35463b8cf43b94707b6e054f5ca45a11797855d9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3604877.exe

Filesize
612KB

MD5
563d5c76daee350e61e9035bad9c238d

SHA1
64bb4a8dcb4899560263f00a7886d85dff3322f4

SHA256
3e307e0289b1c7494e92452760e8eecd4550eb35ea645b947c5a9a6f942104ff

SHA512
643c31c828e8230fef64c1ecb151e6fae48daa611074f488a0163979705b98231be00d421ea39388f7da535b856b1c803a489ac587e412d5d55e56ee01269df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3604877.exe

Filesize
612KB

MD5
563d5c76daee350e61e9035bad9c238d

SHA1
64bb4a8dcb4899560263f00a7886d85dff3322f4

SHA256
3e307e0289b1c7494e92452760e8eecd4550eb35ea645b947c5a9a6f942104ff

SHA512
643c31c828e8230fef64c1ecb151e6fae48daa611074f488a0163979705b98231be00d421ea39388f7da535b856b1c803a489ac587e412d5d55e56ee01269df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0840782.exe

Filesize
348KB

MD5
bd4fad02d389953f3355ddaad920fd70

SHA1
2bd5dd06f986d132702559ac2d0c290d3fc1af78

SHA256
f5514db35210aa0784ffb5d0b9c27b3b35c46f87c20ff759870e3e2b13eb3333

SHA512
6090544b66daa1e34b57a97cbd5dfaa93350bbea519c6eb115d46bf1bd1aedd1582d329ccf9d09b14771bf39e4238de856694255c647078ff089a2d9a9de6ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0840782.exe

Filesize
348KB

MD5
bd4fad02d389953f3355ddaad920fd70

SHA1
2bd5dd06f986d132702559ac2d0c290d3fc1af78

SHA256
f5514db35210aa0784ffb5d0b9c27b3b35c46f87c20ff759870e3e2b13eb3333

SHA512
6090544b66daa1e34b57a97cbd5dfaa93350bbea519c6eb115d46bf1bd1aedd1582d329ccf9d09b14771bf39e4238de856694255c647078ff089a2d9a9de6ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6797162.exe

Filesize
12KB

MD5
10b1d68f151be4696a285a81031650f1

SHA1
1ce8d8786017986f8b108d0e5ce976e72b6b43c1

SHA256
c8fff9cec16825772ff270c0263297c0fd65e097717288bb196438bf22ea4ce2

SHA512
2c0c0f653d9b82d647fa8040209d1fa8a5473f104b00d4f87f1f5d159496e2a38cfa0f63ee2e01b0de81371a948527a23eda0fbb2e9abb3b94b7c5936ae76479

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6797162.exe

Filesize
12KB

MD5
10b1d68f151be4696a285a81031650f1

SHA1
1ce8d8786017986f8b108d0e5ce976e72b6b43c1

SHA256
c8fff9cec16825772ff270c0263297c0fd65e097717288bb196438bf22ea4ce2

SHA512
2c0c0f653d9b82d647fa8040209d1fa8a5473f104b00d4f87f1f5d159496e2a38cfa0f63ee2e01b0de81371a948527a23eda0fbb2e9abb3b94b7c5936ae76479

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5568890.exe

Filesize
378KB

MD5
1d396223d58be4738b4e6851f71d750d

SHA1
e4deb65f819687846ec2bb7634378e58ed040d77

SHA256
5f40ae523da5ea99d9d875fc793a90dd11384367e3ee6007d49dc07c7faa3816

SHA512
29e6aafe0f8ede1f377b8483c478083adb57eb572af631b8c385768e09a3914d9f6bb8b03f39d40cbc944523e9125c10a42cceeeda0a522b918aae566463946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5568890.exe

Filesize
378KB

MD5
1d396223d58be4738b4e6851f71d750d

SHA1
e4deb65f819687846ec2bb7634378e58ed040d77

SHA256
5f40ae523da5ea99d9d875fc793a90dd11384367e3ee6007d49dc07c7faa3816

SHA512
29e6aafe0f8ede1f377b8483c478083adb57eb572af631b8c385768e09a3914d9f6bb8b03f39d40cbc944523e9125c10a42cceeeda0a522b918aae566463946d

Download Submit
memory/2704-35-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/2704-36-0x00007FFB6F190000-0x00007FFB6FB7C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-38-0x00007FFB6F190000-0x00007FFB6FB7C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-46-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2720-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download