healer | 037184964a1f8a201eacf29cf9976c2b2ee35bb6fd99220feecce91ef4eaeeff

Analysis

max time kernel
128s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
23-09-2023 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

037184964a1f8a201eacf29cf9976c2b2ee35bb6fd99220feecce91ef4eaeeff.exe
Size

1.0MB
MD5

f7aed5fcf2113fef31de08907ca5e0cf
SHA1

a679d58a49005a925a50cea6b8d08ca615299742
SHA256

037184964a1f8a201eacf29cf9976c2b2ee35bb6fd99220feecce91ef4eaeeff
SHA512

6f9c70ea3aa81efe13760325b8e16358a589b6e4d4cb73cd464ebfdcca1944cba2e68fc21c135de799d8d488b2932ea118a6f0aeab45a01a1a66496e0babc134
SSDEEP

24576:hyKfEusaCtXyn2TP2xeX0AqpQOsbmR7P9Pleqc:UKfqsCEC09WPmR71Pkq

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af98-33.dat	healer
behavioral1/files/0x000700000001af98-34.dat	healer
behavioral1/memory/2184-35-0x0000000000EE0000-0x0000000000EEA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q5537076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q5537076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q5537076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q5537076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q5537076.exe

Executes dropped EXE 6 IoCs

pid	Process
3604	z4432227.exe
2740	z0398848.exe
2080	z7545467.exe
512	z4451203.exe
2184	q5537076.exe
4112	r6741476.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q5537076.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4432227.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0398848.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7545467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4451203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	037184964a1f8a201eacf29cf9976c2b2ee35bb6fd99220feecce91ef4eaeeff.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4112 set thread context of 780	4112	r6741476.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
604	4112	WerFault.exe	75
4424	780	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	q5537076.exe
2184	q5537076.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	q5537076.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 3604	4408	037184964a1f8a201eacf29cf9976c2b2ee35bb6fd99220feecce91ef4eaeeff.exe	70
PID 4408 wrote to memory of 3604	4408	037184964a1f8a201eacf29cf9976c2b2ee35bb6fd99220feecce91ef4eaeeff.exe	70
PID 4408 wrote to memory of 3604	4408	037184964a1f8a201eacf29cf9976c2b2ee35bb6fd99220feecce91ef4eaeeff.exe	70
PID 3604 wrote to memory of 2740	3604	z4432227.exe	71
PID 3604 wrote to memory of 2740	3604	z4432227.exe	71
PID 3604 wrote to memory of 2740	3604	z4432227.exe	71
PID 2740 wrote to memory of 2080	2740	z0398848.exe	72
PID 2740 wrote to memory of 2080	2740	z0398848.exe	72
PID 2740 wrote to memory of 2080	2740	z0398848.exe	72
PID 2080 wrote to memory of 512	2080	z7545467.exe	73
PID 2080 wrote to memory of 512	2080	z7545467.exe	73
PID 2080 wrote to memory of 512	2080	z7545467.exe	73
PID 512 wrote to memory of 2184	512	z4451203.exe	74
PID 512 wrote to memory of 2184	512	z4451203.exe	74
PID 512 wrote to memory of 4112	512	z4451203.exe	75
PID 512 wrote to memory of 4112	512	z4451203.exe	75
PID 512 wrote to memory of 4112	512	z4451203.exe	75
PID 4112 wrote to memory of 780	4112	r6741476.exe	76
PID 4112 wrote to memory of 780	4112	r6741476.exe	76
PID 4112 wrote to memory of 780	4112	r6741476.exe	76
PID 4112 wrote to memory of 780	4112	r6741476.exe	76
PID 4112 wrote to memory of 780	4112	r6741476.exe	76
PID 4112 wrote to memory of 780	4112	r6741476.exe	76
PID 4112 wrote to memory of 780	4112	r6741476.exe	76
PID 4112 wrote to memory of 780	4112	r6741476.exe	76
PID 4112 wrote to memory of 780	4112	r6741476.exe	76
PID 4112 wrote to memory of 780	4112	r6741476.exe	76

C:\Users\Admin\AppData\Local\Temp\037184964a1f8a201eacf29cf9976c2b2ee35bb6fd99220feecce91ef4eaeeff.exe
"C:\Users\Admin\AppData\Local\Temp\037184964a1f8a201eacf29cf9976c2b2ee35bb6fd99220feecce91ef4eaeeff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4432227.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4432227.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0398848.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0398848.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7545467.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7545467.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4451203.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4451203.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:512
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5537076.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5537076.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6741476.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6741476.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 568
        8⤵
        Program crash
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 552
        7⤵
        Program crash
        
        PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4432227.exe

Filesize
969KB

MD5
6761c61a3684d17329ba82fb95a7ea52

SHA1
c78fb621a6ac93d2958238db98fd94bc5a304c7e

SHA256
b28433b45cde359f7595553bc218172c4b888bdb8bfa785631798722cf28e5e5

SHA512
7bdbfedbfb980fe5f76d4ec603ee419014e801a1c7000fb2dabb050d484deb08835b152f916740d2277bddb2cb46dfce685d529be93da4c921ac16dbb688a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4432227.exe

Filesize
969KB

MD5
6761c61a3684d17329ba82fb95a7ea52

SHA1
c78fb621a6ac93d2958238db98fd94bc5a304c7e

SHA256
b28433b45cde359f7595553bc218172c4b888bdb8bfa785631798722cf28e5e5

SHA512
7bdbfedbfb980fe5f76d4ec603ee419014e801a1c7000fb2dabb050d484deb08835b152f916740d2277bddb2cb46dfce685d529be93da4c921ac16dbb688a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0398848.exe

Filesize
787KB

MD5
565b3b23cf5e3200b602f9b0b0909a5c

SHA1
cdc931ed453f3fccdb27bf50e037bea2f1556cc3

SHA256
9414b1cb544d14d7c401dcbe19fda6d27937ee2098af8e4a2d8dc0eb498ed397

SHA512
ce52464cbd7e2918c3035e1922c2c436462b60f2c3191a12a62e8e10651b9eaa70ce42ad016b0f72adf2a63bf1d6e096ad4b76bbd070b4ca231315123c9f445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0398848.exe

Filesize
787KB

MD5
565b3b23cf5e3200b602f9b0b0909a5c

SHA1
cdc931ed453f3fccdb27bf50e037bea2f1556cc3

SHA256
9414b1cb544d14d7c401dcbe19fda6d27937ee2098af8e4a2d8dc0eb498ed397

SHA512
ce52464cbd7e2918c3035e1922c2c436462b60f2c3191a12a62e8e10651b9eaa70ce42ad016b0f72adf2a63bf1d6e096ad4b76bbd070b4ca231315123c9f445f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7545467.exe

Filesize
604KB

MD5
4b58a3116704660eaba3e3309a30064b

SHA1
834f845808aac16900bd9815700e1285a431bc52

SHA256
f314bd53b87da9a708c9f072b1029766ca0534277b02ff1840094cb4f0e98e45

SHA512
61364c3dbc3aea818ee8dbd5465adc6a5f36c746d79bdc1d776324f8722b165feee1b07e491a2e095bd67848a5fbefd626d2d5785682536da5a3da61e5c87454

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7545467.exe

Filesize
604KB

MD5
4b58a3116704660eaba3e3309a30064b

SHA1
834f845808aac16900bd9815700e1285a431bc52

SHA256
f314bd53b87da9a708c9f072b1029766ca0534277b02ff1840094cb4f0e98e45

SHA512
61364c3dbc3aea818ee8dbd5465adc6a5f36c746d79bdc1d776324f8722b165feee1b07e491a2e095bd67848a5fbefd626d2d5785682536da5a3da61e5c87454

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4451203.exe

Filesize
339KB

MD5
366c0f918dd91b451a6695bf19eca555

SHA1
fb4124b6d92d32c03eec58433faf5737283dab86

SHA256
d0eca3275506a7f4345bfd2956cf799bb856e82c33fc7b8ac1b5e93e42edf7b4

SHA512
b000aad7c31271faa12debb582b31f339db4c88fed991af2a04be5e9433eb157c1be5cda3d9d277f8690d21e23bffed84f73b78335bedd485c8d23cf4b4f8666

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4451203.exe

Filesize
339KB

MD5
366c0f918dd91b451a6695bf19eca555

SHA1
fb4124b6d92d32c03eec58433faf5737283dab86

SHA256
d0eca3275506a7f4345bfd2956cf799bb856e82c33fc7b8ac1b5e93e42edf7b4

SHA512
b000aad7c31271faa12debb582b31f339db4c88fed991af2a04be5e9433eb157c1be5cda3d9d277f8690d21e23bffed84f73b78335bedd485c8d23cf4b4f8666

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5537076.exe

Filesize
12KB

MD5
3ba92b8b86daadad96af09d070c3df9b

SHA1
3a5a37b084953ef4084a8be709ca851aa69fae64

SHA256
566058cf52fc3e8dd477ab572e1dd17863c2022f2fc6f1002feda94940812752

SHA512
698f287949a039e4c1995a0710efe5d4e3222688efab874661834c3ef845bbd3be1e632853cc8415083d6b7f3088a67c24e20c00d5d32f9c7956714113355823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5537076.exe

Filesize
12KB

MD5
3ba92b8b86daadad96af09d070c3df9b

SHA1
3a5a37b084953ef4084a8be709ca851aa69fae64

SHA256
566058cf52fc3e8dd477ab572e1dd17863c2022f2fc6f1002feda94940812752

SHA512
698f287949a039e4c1995a0710efe5d4e3222688efab874661834c3ef845bbd3be1e632853cc8415083d6b7f3088a67c24e20c00d5d32f9c7956714113355823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6741476.exe

Filesize
365KB

MD5
aae8ada6e0d1e431e8534abbc33c4eea

SHA1
665a197382544dfb69be53c9200e0291ea0d4002

SHA256
7ee810bbed978f835e137c39db9793706bf99c03776fd6740154e7f104afe761

SHA512
e6ef1a6263508edd7ae18dc5e79fe59dd9de7ea2ef6aa58873c6d63afd7e33709aa8c1683b6104b39944270f980075bf888e1ce6a9593da31826d6485cd511e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6741476.exe

Filesize
365KB

MD5
aae8ada6e0d1e431e8534abbc33c4eea

SHA1
665a197382544dfb69be53c9200e0291ea0d4002

SHA256
7ee810bbed978f835e137c39db9793706bf99c03776fd6740154e7f104afe761

SHA512
e6ef1a6263508edd7ae18dc5e79fe59dd9de7ea2ef6aa58873c6d63afd7e33709aa8c1683b6104b39944270f980075bf888e1ce6a9593da31826d6485cd511e7

Download Submit
memory/780-42-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/780-45-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/780-46-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/780-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2184-35-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

Filesize
40KB

Download
memory/2184-36-0x00007FF92ABA0000-0x00007FF92B58C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-38-0x00007FF92ABA0000-0x00007FF92B58C000-memory.dmp

Filesize
9.9MB

Download