healer | aeb5c20d221dbabe7aea05554721a6d292ac662ecedda393f239b776526144ea

Analysis

max time kernel
126s
max time network
136s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
01/10/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeb5c20d221dbabe7aea05554721a6d292ac662ecedda393f239b776526144ea.exe
Size

1.1MB
MD5

e35af287a2d4d007f8167398f568bc31
SHA1

f009c7ff1c31a5a42bc404924601fc5ab77e546b
SHA256

aeb5c20d221dbabe7aea05554721a6d292ac662ecedda393f239b776526144ea
SHA512

da6663b49031fe86d475828af5d027ed7e4328759ca32cae999c21e466e78d7f0cf1a05b468ae743e7f2c8810ecc822b87edfc980ba71d0af028e7fa68925a45
SSDEEP

24576:My1xnmYeFYCTWY1wUm1iHCgLPH/UzzmyevduwgbBadmtF:71xn9CTWjs5Uzixv2Badk

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af8e-33.dat	healer
behavioral1/files/0x000700000001af8e-34.dat	healer
behavioral1/memory/1884-35-0x00000000002F0000-0x00000000002FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q5932554.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q5932554.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q5932554.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q5932554.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q5932554.exe

Executes dropped EXE 6 IoCs

pid	Process
4480	z4489517.exe
4476	z2930104.exe
2320	z3235655.exe
1764	z2845667.exe
1884	q5932554.exe
3080	r7757756.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q5932554.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2845667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aeb5c20d221dbabe7aea05554721a6d292ac662ecedda393f239b776526144ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4489517.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2930104.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3235655.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3080 set thread context of 5044	3080	r7757756.exe	79

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3592	3080	WerFault.exe	76
380	5044	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1884	q5932554.exe
1884	q5932554.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	q5932554.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4480	4512	aeb5c20d221dbabe7aea05554721a6d292ac662ecedda393f239b776526144ea.exe	71
PID 4512 wrote to memory of 4480	4512	aeb5c20d221dbabe7aea05554721a6d292ac662ecedda393f239b776526144ea.exe	71
PID 4512 wrote to memory of 4480	4512	aeb5c20d221dbabe7aea05554721a6d292ac662ecedda393f239b776526144ea.exe	71
PID 4480 wrote to memory of 4476	4480	z4489517.exe	72
PID 4480 wrote to memory of 4476	4480	z4489517.exe	72
PID 4480 wrote to memory of 4476	4480	z4489517.exe	72
PID 4476 wrote to memory of 2320	4476	z2930104.exe	73
PID 4476 wrote to memory of 2320	4476	z2930104.exe	73
PID 4476 wrote to memory of 2320	4476	z2930104.exe	73
PID 2320 wrote to memory of 1764	2320	z3235655.exe	74
PID 2320 wrote to memory of 1764	2320	z3235655.exe	74
PID 2320 wrote to memory of 1764	2320	z3235655.exe	74
PID 1764 wrote to memory of 1884	1764	z2845667.exe	75
PID 1764 wrote to memory of 1884	1764	z2845667.exe	75
PID 1764 wrote to memory of 3080	1764	z2845667.exe	76
PID 1764 wrote to memory of 3080	1764	z2845667.exe	76
PID 1764 wrote to memory of 3080	1764	z2845667.exe	76
PID 3080 wrote to memory of 672	3080	r7757756.exe	78
PID 3080 wrote to memory of 672	3080	r7757756.exe	78
PID 3080 wrote to memory of 672	3080	r7757756.exe	78
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79
PID 3080 wrote to memory of 5044	3080	r7757756.exe	79

C:\Users\Admin\AppData\Local\Temp\aeb5c20d221dbabe7aea05554721a6d292ac662ecedda393f239b776526144ea.exe
"C:\Users\Admin\AppData\Local\Temp\aeb5c20d221dbabe7aea05554721a6d292ac662ecedda393f239b776526144ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4489517.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4489517.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2930104.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2930104.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3235655.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3235655.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2845667.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2845667.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5932554.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5932554.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7757756.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7757756.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 568
        8⤵
        Program crash
        
        PID:380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 580
        7⤵
        Program crash
        
        PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4489517.exe

Filesize
938KB

MD5
1c387fd80f12f4752cda66ecb739316a

SHA1
b9cf0466b7179fdc33f025eb0e22fc1479441cc1

SHA256
797c8e4a1707fc37444d7417dec94adca1ad391a9a3019f925d2105b7473abec

SHA512
c4b0b6e7a595c08d3d6a47db22064513154db6ab30aa3921b02d9780b0f781ea88311512d4bd78be0f98d402c7593fe1172beb1a2eb25aec1351ce6a8ba12e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4489517.exe

Filesize
938KB

MD5
1c387fd80f12f4752cda66ecb739316a

SHA1
b9cf0466b7179fdc33f025eb0e22fc1479441cc1

SHA256
797c8e4a1707fc37444d7417dec94adca1ad391a9a3019f925d2105b7473abec

SHA512
c4b0b6e7a595c08d3d6a47db22064513154db6ab30aa3921b02d9780b0f781ea88311512d4bd78be0f98d402c7593fe1172beb1a2eb25aec1351ce6a8ba12e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2930104.exe

Filesize
755KB

MD5
23730af01b983b3f38652cbebf26fe2f

SHA1
b29885daaa223e56f1ce8688dc1fc558a90e17ee

SHA256
d9e1aa60e376823dd591e6b8b90fbfabefcae556cb5c3ad07903bea016cfa7a0

SHA512
2bd3d9facf167bbb2dea4f797026dc590c26721d46c080d2574322f81acb00e882d62df7c5f52cdc7c2df58e489b846aed753ff0692816ce2c8e476e45826d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2930104.exe

Filesize
755KB

MD5
23730af01b983b3f38652cbebf26fe2f

SHA1
b29885daaa223e56f1ce8688dc1fc558a90e17ee

SHA256
d9e1aa60e376823dd591e6b8b90fbfabefcae556cb5c3ad07903bea016cfa7a0

SHA512
2bd3d9facf167bbb2dea4f797026dc590c26721d46c080d2574322f81acb00e882d62df7c5f52cdc7c2df58e489b846aed753ff0692816ce2c8e476e45826d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3235655.exe

Filesize
572KB

MD5
1795facaeea433043a0d059f34ac3773

SHA1
0008eadc908ba16a87f96a95f747ad2229a2916c

SHA256
62af0edaa95567b6ee25ddc9a8688c9902fbab00bfecb137f0c1102c5592f6bb

SHA512
e469a27559c14edbff90a747372df7571c8dc9fbcb6fdf6a2b28add9b0ada6621e71fde63e085f525f8e8a4898a4f655ffb1e9879c4e7cd7b339b81252ca592c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3235655.exe

Filesize
572KB

MD5
1795facaeea433043a0d059f34ac3773

SHA1
0008eadc908ba16a87f96a95f747ad2229a2916c

SHA256
62af0edaa95567b6ee25ddc9a8688c9902fbab00bfecb137f0c1102c5592f6bb

SHA512
e469a27559c14edbff90a747372df7571c8dc9fbcb6fdf6a2b28add9b0ada6621e71fde63e085f525f8e8a4898a4f655ffb1e9879c4e7cd7b339b81252ca592c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2845667.exe

Filesize
309KB

MD5
bbd4c1c2afa618609fb6ac39b5168bf2

SHA1
125d62c5fdeb0ecd7bf766bfc4b327628c46422b

SHA256
a8e8561a08d5b9a3013527d6594c3ecd2eb05f4ebaefe41a8c5e69215339cd4c

SHA512
8a91df1d0bd0a0d2485fbcdd42daeafe2de8d27d0576e28bae547f2c8cb139cc3a84f6f67abb0bd0e90dd726abf2a159dfabef041c151628194d6c9b8cdd60fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2845667.exe

Filesize
309KB

MD5
bbd4c1c2afa618609fb6ac39b5168bf2

SHA1
125d62c5fdeb0ecd7bf766bfc4b327628c46422b

SHA256
a8e8561a08d5b9a3013527d6594c3ecd2eb05f4ebaefe41a8c5e69215339cd4c

SHA512
8a91df1d0bd0a0d2485fbcdd42daeafe2de8d27d0576e28bae547f2c8cb139cc3a84f6f67abb0bd0e90dd726abf2a159dfabef041c151628194d6c9b8cdd60fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5932554.exe

Filesize
11KB

MD5
444623ddfcf837432df1278bb4b5f400

SHA1
fccb5cfb95586d5f5cd2493d576ed093758dcbea

SHA256
601c3c27fdbdf487a8a1871cb060e33abcefaf2b5e7f698b2ba1933fced5f490

SHA512
1e645e8114ea0ea0d4958b0af241caee1c8dfc5c9b0cb9e54a7985214954b30c9dd7aea784f68b9a2c6ca79495f0e5a6e9fe38010b4fe18cfc60c505b9b12c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5932554.exe

Filesize
11KB

MD5
444623ddfcf837432df1278bb4b5f400

SHA1
fccb5cfb95586d5f5cd2493d576ed093758dcbea

SHA256
601c3c27fdbdf487a8a1871cb060e33abcefaf2b5e7f698b2ba1933fced5f490

SHA512
1e645e8114ea0ea0d4958b0af241caee1c8dfc5c9b0cb9e54a7985214954b30c9dd7aea784f68b9a2c6ca79495f0e5a6e9fe38010b4fe18cfc60c505b9b12c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7757756.exe

Filesize
304KB

MD5
e736ba2393000f629ba26a14908f114c

SHA1
49c635f34413d1e546f7dbd99dd77fb473eecafe

SHA256
532b127c571a5a5f181515d0bf6ecc673eece20680acba61106d43b7a8a5b1cc

SHA512
19ee83b63ee08d189d01a1b3e40e2f19b4c4b3bb32029a615f79af96ef6e752a9a2fdc077b8139c0a4635c4c65c34a2fff7036bfac6379260c6fddd68efa50a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7757756.exe

Filesize
304KB

MD5
e736ba2393000f629ba26a14908f114c

SHA1
49c635f34413d1e546f7dbd99dd77fb473eecafe

SHA256
532b127c571a5a5f181515d0bf6ecc673eece20680acba61106d43b7a8a5b1cc

SHA512
19ee83b63ee08d189d01a1b3e40e2f19b4c4b3bb32029a615f79af96ef6e752a9a2fdc077b8139c0a4635c4c65c34a2fff7036bfac6379260c6fddd68efa50a9

Download Submit
memory/1884-35-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/1884-36-0x00007FFA71AB0000-0x00007FFA7249C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-38-0x00007FFA71AB0000-0x00007FFA7249C000-memory.dmp

Filesize
9.9MB

Download
memory/5044-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5044-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5044-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5044-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download