healer | e83953dd2f4d7d6fa05adcf0dc828b41565ccedf44d2ca4b13fd35db6f3747d3

Analysis

max time kernel
71s
max time network
87s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
30/09/2023, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e83953dd2f4d7d6fa05adcf0dc828b41565ccedf44d2ca4b13fd35db6f3747d3.exe
Size

1.0MB
MD5

c486726f13f0dbbec13efd792e6b5bb6
SHA1

efca615191e6f727a9ea84c1e8b3ce0f7fe5b4a8
SHA256

e83953dd2f4d7d6fa05adcf0dc828b41565ccedf44d2ca4b13fd35db6f3747d3
SHA512

b919b0efd42a5a808ec6fba95fde75100275eea65bff098c355231b16e6faef089e1bb434ddd89a43b051b960d1b8c8f032e96b50f945076e606882bb4e73ab6
SSDEEP

24576:6yTCl2edVsyAHK2rFtlzpqZ24angh/aM6sAjdzhwgEOL:BTCo4VsXq8tJ4gA05dlwg

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b037-33.dat	healer
behavioral1/files/0x000700000001b037-34.dat	healer
behavioral1/memory/868-35-0x0000000000EE0000-0x0000000000EEA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q0011811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q0011811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q0011811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q0011811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q0011811.exe

Executes dropped EXE 6 IoCs

pid	Process
4456	z9367816.exe
828	z5273005.exe
1172	z8887252.exe
4836	z1865727.exe
868	q0011811.exe
1124	r3254871.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q0011811.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e83953dd2f4d7d6fa05adcf0dc828b41565ccedf44d2ca4b13fd35db6f3747d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9367816.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5273005.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8887252.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z1865727.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 1600	1124	r3254871.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3648	1124	WerFault.exe	75
3124	1600	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
868	q0011811.exe
868	q0011811.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	q0011811.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 4456	2744	e83953dd2f4d7d6fa05adcf0dc828b41565ccedf44d2ca4b13fd35db6f3747d3.exe	70
PID 2744 wrote to memory of 4456	2744	e83953dd2f4d7d6fa05adcf0dc828b41565ccedf44d2ca4b13fd35db6f3747d3.exe	70
PID 2744 wrote to memory of 4456	2744	e83953dd2f4d7d6fa05adcf0dc828b41565ccedf44d2ca4b13fd35db6f3747d3.exe	70
PID 4456 wrote to memory of 828	4456	z9367816.exe	71
PID 4456 wrote to memory of 828	4456	z9367816.exe	71
PID 4456 wrote to memory of 828	4456	z9367816.exe	71
PID 828 wrote to memory of 1172	828	z5273005.exe	72
PID 828 wrote to memory of 1172	828	z5273005.exe	72
PID 828 wrote to memory of 1172	828	z5273005.exe	72
PID 1172 wrote to memory of 4836	1172	z8887252.exe	73
PID 1172 wrote to memory of 4836	1172	z8887252.exe	73
PID 1172 wrote to memory of 4836	1172	z8887252.exe	73
PID 4836 wrote to memory of 868	4836	z1865727.exe	74
PID 4836 wrote to memory of 868	4836	z1865727.exe	74
PID 4836 wrote to memory of 1124	4836	z1865727.exe	75
PID 4836 wrote to memory of 1124	4836	z1865727.exe	75
PID 4836 wrote to memory of 1124	4836	z1865727.exe	75
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77
PID 1124 wrote to memory of 1600	1124	r3254871.exe	77

C:\Users\Admin\AppData\Local\Temp\e83953dd2f4d7d6fa05adcf0dc828b41565ccedf44d2ca4b13fd35db6f3747d3.exe
"C:\Users\Admin\AppData\Local\Temp\e83953dd2f4d7d6fa05adcf0dc828b41565ccedf44d2ca4b13fd35db6f3747d3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9367816.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9367816.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5273005.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5273005.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8887252.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8887252.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1865727.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1865727.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0011811.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0011811.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3254871.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3254871.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 568
        8⤵
        Program crash
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 592
        7⤵
        Program crash
        
        PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9367816.exe

Filesize
972KB

MD5
8c70087513dac7a4ac4c8cbb42900f46

SHA1
403c1aae8a1ab0912ce56d97c35c075c50be600d

SHA256
7d046c395fb2751544e2220dd509864d6e050322040af6fe2cf62f9876523346

SHA512
0b818514087d8e442a3dc14bc135a69e6b32634758061050f3e9d2ba49b9c1f8769a2f4b0b1663d42ad60785c1ff239245368f708e42c1eb3f6ac2c9d35c2e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9367816.exe

Filesize
972KB

MD5
8c70087513dac7a4ac4c8cbb42900f46

SHA1
403c1aae8a1ab0912ce56d97c35c075c50be600d

SHA256
7d046c395fb2751544e2220dd509864d6e050322040af6fe2cf62f9876523346

SHA512
0b818514087d8e442a3dc14bc135a69e6b32634758061050f3e9d2ba49b9c1f8769a2f4b0b1663d42ad60785c1ff239245368f708e42c1eb3f6ac2c9d35c2e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5273005.exe

Filesize
789KB

MD5
a51c8b8bdc62735d3f053e8118f421f6

SHA1
e4d464dbd5a2ad8357aeb623c8e0d82f761220e2

SHA256
a8e8a20e6e74d0bfbb1d513e0e2c94ff118a4e7014830ed01052571e86b2a4e3

SHA512
30a15ed36969fbcf476c5c13850fab35445255bb2a901bf5ca0b9b6a2e7831d770b8101c262476b12252dd65da1eb0c2167489417878931d009c48136d0a58a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5273005.exe

Filesize
789KB

MD5
a51c8b8bdc62735d3f053e8118f421f6

SHA1
e4d464dbd5a2ad8357aeb623c8e0d82f761220e2

SHA256
a8e8a20e6e74d0bfbb1d513e0e2c94ff118a4e7014830ed01052571e86b2a4e3

SHA512
30a15ed36969fbcf476c5c13850fab35445255bb2a901bf5ca0b9b6a2e7831d770b8101c262476b12252dd65da1eb0c2167489417878931d009c48136d0a58a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8887252.exe

Filesize
606KB

MD5
7736059183e6c766feedfb63a8ebceb0

SHA1
f7e4bc1bad97acb6d536dea445a0e911e9d689e7

SHA256
ea9795725a433548388da25a73f37ec8cc1e327e0d1aa730bdc4229a339fbc25

SHA512
48d3b762d819207fafcce4e8a807c2441171cb255254ab4f305ed7952b53a50cad28cab44286e8448d55dc36bcb987c816bc7271b387acd396a1d9a5b68f875e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8887252.exe

Filesize
606KB

MD5
7736059183e6c766feedfb63a8ebceb0

SHA1
f7e4bc1bad97acb6d536dea445a0e911e9d689e7

SHA256
ea9795725a433548388da25a73f37ec8cc1e327e0d1aa730bdc4229a339fbc25

SHA512
48d3b762d819207fafcce4e8a807c2441171cb255254ab4f305ed7952b53a50cad28cab44286e8448d55dc36bcb987c816bc7271b387acd396a1d9a5b68f875e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1865727.exe

Filesize
335KB

MD5
1763fa184dea8737f2701fa7abaa21d0

SHA1
77264fdf1872fcaa07dc7712a71b592e659a6238

SHA256
3705e88ae0bbc661af7ece8052efd0f46436d28c1b034c1c81d4fec48f406bd5

SHA512
0319bc00a8a61d0a723dd4b826775a1f92b860213933a884da075c1a8b7b6eedb3285869194b21adf1e050f2d53f10195170051761ecd337be81884dddae866f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1865727.exe

Filesize
335KB

MD5
1763fa184dea8737f2701fa7abaa21d0

SHA1
77264fdf1872fcaa07dc7712a71b592e659a6238

SHA256
3705e88ae0bbc661af7ece8052efd0f46436d28c1b034c1c81d4fec48f406bd5

SHA512
0319bc00a8a61d0a723dd4b826775a1f92b860213933a884da075c1a8b7b6eedb3285869194b21adf1e050f2d53f10195170051761ecd337be81884dddae866f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0011811.exe

Filesize
11KB

MD5
b968cb5ee58d2be7a39da9dbe566c5e2

SHA1
4c5aee95f0541f56342489494fb55f4540861903

SHA256
2706a36e942b9cc9fa797c7cf817d554238b8dfa1f71ef0fa6e3706382627356

SHA512
c8ec877350d9ac098b194c2b1a3ecec27f9d198e91064ab5a016879df16e8d5caaa9077ad210ffd623f0ffec9502ae00e4e312d577027f1ef2ab15af966f37c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0011811.exe

Filesize
11KB

MD5
b968cb5ee58d2be7a39da9dbe566c5e2

SHA1
4c5aee95f0541f56342489494fb55f4540861903

SHA256
2706a36e942b9cc9fa797c7cf817d554238b8dfa1f71ef0fa6e3706382627356

SHA512
c8ec877350d9ac098b194c2b1a3ecec27f9d198e91064ab5a016879df16e8d5caaa9077ad210ffd623f0ffec9502ae00e4e312d577027f1ef2ab15af966f37c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3254871.exe

Filesize
356KB

MD5
21b44babbf7baeeeb2ec506828644075

SHA1
162670005a5a4d9e18d72a94f3124db60b533ae5

SHA256
5154b0aa9ee983cc5fae04fa26b8d5bb27ea91f77214e546eb9523a9e9a5dbb0

SHA512
f81ed16af92bd83fde84d2cdb83723cd57f0458874710d8435e29433e8020539b624b868c8e97a76368f0d4ec0ea27712ebf22596840d067b213a55b98751c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3254871.exe

Filesize
356KB

MD5
21b44babbf7baeeeb2ec506828644075

SHA1
162670005a5a4d9e18d72a94f3124db60b533ae5

SHA256
5154b0aa9ee983cc5fae04fa26b8d5bb27ea91f77214e546eb9523a9e9a5dbb0

SHA512
f81ed16af92bd83fde84d2cdb83723cd57f0458874710d8435e29433e8020539b624b868c8e97a76368f0d4ec0ea27712ebf22596840d067b213a55b98751c07

Download Submit
memory/868-35-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

Filesize
40KB

Download
memory/868-36-0x00007FF89D050000-0x00007FF89DA3C000-memory.dmp

Filesize
9.9MB

Download
memory/868-38-0x00007FF89D050000-0x00007FF89DA3C000-memory.dmp

Filesize
9.9MB

Download
memory/1600-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1600-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1600-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1600-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download