healer | e37269b541b042710db130ff24977478e012507c2c82faa6fbc874838a7baea3

Analysis

max time kernel
135s
max time network
139s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
24/09/2023, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e37269b541b042710db130ff24977478e012507c2c82faa6fbc874838a7baea3.exe
Size

1.2MB
MD5

03e2fbe72a017554517a286cc884ff2a
SHA1

f9fc0f9fad1ea5bbc79db2e2a6bdd0671a9e020b
SHA256

e37269b541b042710db130ff24977478e012507c2c82faa6fbc874838a7baea3
SHA512

cb9158bc5847c3902c34ab9a0012dc97dac7b4d2d8888b8192df15007e3aa9d70c3d4ef083a2cd6a943e2c38a21a2766caefa61e7a2a508b982df0867c36ce59
SSDEEP

24576:GyM3RKvsHWgIAXlX1zvkZz7w/cejs1gS+qNCyRslnvmjcIa0V:VM3RKKSAXTLRjegxyGRmDa

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/4884-42-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Executes dropped EXE 6 IoCs

pid	Process
2152	v4540225.exe
1580	v1134135.exe
1848	v9450612.exe
824	v1514489.exe
920	v4398571.exe
3120	a8128288.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	v4398571.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e37269b541b042710db130ff24977478e012507c2c82faa6fbc874838a7baea3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4540225.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1134135.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9450612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1514489.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3120 set thread context of 4884	3120	a8128288.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3208	3120	WerFault.exe	74

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	AppLaunch.exe
4884	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 2152	5072	e37269b541b042710db130ff24977478e012507c2c82faa6fbc874838a7baea3.exe	69
PID 5072 wrote to memory of 2152	5072	e37269b541b042710db130ff24977478e012507c2c82faa6fbc874838a7baea3.exe	69
PID 5072 wrote to memory of 2152	5072	e37269b541b042710db130ff24977478e012507c2c82faa6fbc874838a7baea3.exe	69
PID 2152 wrote to memory of 1580	2152	v4540225.exe	70
PID 2152 wrote to memory of 1580	2152	v4540225.exe	70
PID 2152 wrote to memory of 1580	2152	v4540225.exe	70
PID 1580 wrote to memory of 1848	1580	v1134135.exe	71
PID 1580 wrote to memory of 1848	1580	v1134135.exe	71
PID 1580 wrote to memory of 1848	1580	v1134135.exe	71
PID 1848 wrote to memory of 824	1848	v9450612.exe	72
PID 1848 wrote to memory of 824	1848	v9450612.exe	72
PID 1848 wrote to memory of 824	1848	v9450612.exe	72
PID 824 wrote to memory of 920	824	v1514489.exe	73
PID 824 wrote to memory of 920	824	v1514489.exe	73
PID 824 wrote to memory of 920	824	v1514489.exe	73
PID 920 wrote to memory of 3120	920	v4398571.exe	74
PID 920 wrote to memory of 3120	920	v4398571.exe	74
PID 920 wrote to memory of 3120	920	v4398571.exe	74
PID 3120 wrote to memory of 4884	3120	a8128288.exe	75
PID 3120 wrote to memory of 4884	3120	a8128288.exe	75
PID 3120 wrote to memory of 4884	3120	a8128288.exe	75
PID 3120 wrote to memory of 4884	3120	a8128288.exe	75
PID 3120 wrote to memory of 4884	3120	a8128288.exe	75
PID 3120 wrote to memory of 4884	3120	a8128288.exe	75
PID 3120 wrote to memory of 4884	3120	a8128288.exe	75
PID 3120 wrote to memory of 4884	3120	a8128288.exe	75

C:\Users\Admin\AppData\Local\Temp\e37269b541b042710db130ff24977478e012507c2c82faa6fbc874838a7baea3.exe
"C:\Users\Admin\AppData\Local\Temp\e37269b541b042710db130ff24977478e012507c2c82faa6fbc874838a7baea3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4540225.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4540225.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1134135.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1134135.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9450612.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9450612.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1514489.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1514489.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4398571.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4398571.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a8128288.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a8128288.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 552
        8⤵
        Program crash
        
        PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4540225.exe

Filesize
1.1MB

MD5
4a9b40a43a9595ceefa31c651fe42d0d

SHA1
1433f90be681d10dda1e77e4baebdc5ff33ff143

SHA256
23bbfc9b03f412d3ebb2d8b8b95758f0290d91ecd661864bad2c62bb3932381e

SHA512
943c39827e13e39fa67954841284fb22ba7d4960f56b376fb64228e8e1b0c20a844b4c98a4de366c7bfe1c13bb273d336552d1939f6ab932088b6001620abe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4540225.exe

Filesize
1.1MB

MD5
4a9b40a43a9595ceefa31c651fe42d0d

SHA1
1433f90be681d10dda1e77e4baebdc5ff33ff143

SHA256
23bbfc9b03f412d3ebb2d8b8b95758f0290d91ecd661864bad2c62bb3932381e

SHA512
943c39827e13e39fa67954841284fb22ba7d4960f56b376fb64228e8e1b0c20a844b4c98a4de366c7bfe1c13bb273d336552d1939f6ab932088b6001620abe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1134135.exe

Filesize
937KB

MD5
08486222f0e0608bf5e56714039b6090

SHA1
0e38963f3308c45e3189124014ca814729fd8e63

SHA256
b897ef6f8537fba939cc01aec4cd5f8050830913086900438d17c7a6d3149644

SHA512
c5122d535ebd7f7a26e1b098753cf7fcd448b11136999fa5a4ae394e06a7507cba7cafb5cdca741bb08fb21b6a27636c68dada16e2890e1638da72104ba78b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1134135.exe

Filesize
937KB

MD5
08486222f0e0608bf5e56714039b6090

SHA1
0e38963f3308c45e3189124014ca814729fd8e63

SHA256
b897ef6f8537fba939cc01aec4cd5f8050830913086900438d17c7a6d3149644

SHA512
c5122d535ebd7f7a26e1b098753cf7fcd448b11136999fa5a4ae394e06a7507cba7cafb5cdca741bb08fb21b6a27636c68dada16e2890e1638da72104ba78b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9450612.exe

Filesize
782KB

MD5
fadef97bbff9d22dfe170fde50c1106c

SHA1
deb8e6dc6dcece3905a29624e024139c669cb47c

SHA256
6790a2ecb4235f923151f8a5f7ca7c7057f960349ffc8f848443912db8410152

SHA512
a986095cd6567b33c9005512ecf92bcd3aef6dc99c1d44a4843112551268e5936878541a2677b29aadfc5dd0b2baa7e6b6a0f9abb7d99fa92595f6cbae9af23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9450612.exe

Filesize
782KB

MD5
fadef97bbff9d22dfe170fde50c1106c

SHA1
deb8e6dc6dcece3905a29624e024139c669cb47c

SHA256
6790a2ecb4235f923151f8a5f7ca7c7057f960349ffc8f848443912db8410152

SHA512
a986095cd6567b33c9005512ecf92bcd3aef6dc99c1d44a4843112551268e5936878541a2677b29aadfc5dd0b2baa7e6b6a0f9abb7d99fa92595f6cbae9af23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1514489.exe

Filesize
605KB

MD5
d4deb49b2fce259c7cf50d0dcf66dee2

SHA1
23b3692999567954ee51ee414d84c1b9a183db8d

SHA256
85022f0f7ffc405865b5a129dd1dee9b7107bdb9fd2bdd114a338f216f157bf0

SHA512
0e595ff78f1aa4b56ae39a5e463a7233086fba7662f16e1ef9a05a4cd7b3911664ed9e4533e5211299c782ebf1d9dff5462f66cc15d61f750703cf75f31f847a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1514489.exe

Filesize
605KB

MD5
d4deb49b2fce259c7cf50d0dcf66dee2

SHA1
23b3692999567954ee51ee414d84c1b9a183db8d

SHA256
85022f0f7ffc405865b5a129dd1dee9b7107bdb9fd2bdd114a338f216f157bf0

SHA512
0e595ff78f1aa4b56ae39a5e463a7233086fba7662f16e1ef9a05a4cd7b3911664ed9e4533e5211299c782ebf1d9dff5462f66cc15d61f750703cf75f31f847a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4398571.exe

Filesize
345KB

MD5
af797eed8d97a350d6d82d80ac7b45ee

SHA1
64af5cd332bb59ea3e3b19844c675b8a8ffcbcd2

SHA256
009694dbddb36072cd433f496c9cdbe4a56889351b9849cb1a1afbefa8a6ae0f

SHA512
9259eff4f5f9a70cbbf9aceb30cfae4bf493590297f2ec60ba8f6fdfbd5e94a5ada0154bd42179ad26be64db27d0c65ca18feec6b72a457372e90aa579a6dc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v4398571.exe

Filesize
345KB

MD5
af797eed8d97a350d6d82d80ac7b45ee

SHA1
64af5cd332bb59ea3e3b19844c675b8a8ffcbcd2

SHA256
009694dbddb36072cd433f496c9cdbe4a56889351b9849cb1a1afbefa8a6ae0f

SHA512
9259eff4f5f9a70cbbf9aceb30cfae4bf493590297f2ec60ba8f6fdfbd5e94a5ada0154bd42179ad26be64db27d0c65ca18feec6b72a457372e90aa579a6dc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a8128288.exe

Filesize
220KB

MD5
24b00e091f996e3e7b2ca666c1defd9d

SHA1
4f9db68e60e546f788f62bdde5b6e5019fbfd244

SHA256
8c20327c89db231767ffe95ecad1e673a2e8ff84849e00f3a36e1d2c6c5f3fc9

SHA512
c9121ed75cfdb56e1c4602fd5997542d07c794a031fba0f8565e2d77f8aae5e3e519a585f8bb5f9cfba7adbf8b84605dce243016ed329a827a0966780da033d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a8128288.exe

Filesize
220KB

MD5
24b00e091f996e3e7b2ca666c1defd9d

SHA1
4f9db68e60e546f788f62bdde5b6e5019fbfd244

SHA256
8c20327c89db231767ffe95ecad1e673a2e8ff84849e00f3a36e1d2c6c5f3fc9

SHA512
c9121ed75cfdb56e1c4602fd5997542d07c794a031fba0f8565e2d77f8aae5e3e519a585f8bb5f9cfba7adbf8b84605dce243016ed329a827a0966780da033d8

Download Submit
memory/4884-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4884-46-0x0000000072CE0000-0x00000000733CE000-memory.dmp

Filesize
6.9MB

Download
memory/4884-55-0x0000000072CE0000-0x00000000733CE000-memory.dmp

Filesize
6.9MB

Download
memory/4884-70-0x0000000072CE0000-0x00000000733CE000-memory.dmp

Filesize
6.9MB

Download