healer | 4c1bc47eac03ad163f3aff07ad015f1944694807a7d74cadd7f2593f1333a515

Analysis

max time kernel
117s
max time network
126s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
01/10/2023, 15:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c1bc47eac03ad163f3aff07ad015f1944694807a7d74cadd7f2593f1333a515.exe
Size

1.0MB
MD5

f74dc7c714f7b31c920ccee9618541f9
SHA1

123c178bb688fe675c7dc381e907f9d27372331c
SHA256

4c1bc47eac03ad163f3aff07ad015f1944694807a7d74cadd7f2593f1333a515
SHA512

8d921f2a571b0490fd35eaa06d4e456b261e468a1d1b101c332d1bfcb3baeb764f7b61317d9e85f12d00b7f28578bedb76473d70fe1a40ab37b6fda5fbae3b15
SSDEEP

24576:nyJDX+rvFr07tJACxA0paR11RH2G2DTnb:y9XMheACO0pafH2RTn

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afc6-33.dat	healer
behavioral1/files/0x000700000001afc6-34.dat	healer
behavioral1/memory/1360-35-0x0000000000FD0000-0x0000000000FDA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q7910549.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q7910549.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q7910549.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q7910549.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q7910549.exe

Executes dropped EXE 6 IoCs

pid	Process
4452	z8514246.exe
4320	z6939157.exe
236	z0325295.exe
3868	z4235265.exe
1360	q7910549.exe
2488	r8927662.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q7910549.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c1bc47eac03ad163f3aff07ad015f1944694807a7d74cadd7f2593f1333a515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8514246.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6939157.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0325295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4235265.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2488 set thread context of 4468	2488	r8927662.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4520	2488	WerFault.exe	75
4852	4468	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1360	q7910549.exe
1360	q7910549.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	q7910549.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4452	1712	4c1bc47eac03ad163f3aff07ad015f1944694807a7d74cadd7f2593f1333a515.exe	70
PID 1712 wrote to memory of 4452	1712	4c1bc47eac03ad163f3aff07ad015f1944694807a7d74cadd7f2593f1333a515.exe	70
PID 1712 wrote to memory of 4452	1712	4c1bc47eac03ad163f3aff07ad015f1944694807a7d74cadd7f2593f1333a515.exe	70
PID 4452 wrote to memory of 4320	4452	z8514246.exe	71
PID 4452 wrote to memory of 4320	4452	z8514246.exe	71
PID 4452 wrote to memory of 4320	4452	z8514246.exe	71
PID 4320 wrote to memory of 236	4320	z6939157.exe	72
PID 4320 wrote to memory of 236	4320	z6939157.exe	72
PID 4320 wrote to memory of 236	4320	z6939157.exe	72
PID 236 wrote to memory of 3868	236	z0325295.exe	73
PID 236 wrote to memory of 3868	236	z0325295.exe	73
PID 236 wrote to memory of 3868	236	z0325295.exe	73
PID 3868 wrote to memory of 1360	3868	z4235265.exe	74
PID 3868 wrote to memory of 1360	3868	z4235265.exe	74
PID 3868 wrote to memory of 2488	3868	z4235265.exe	75
PID 3868 wrote to memory of 2488	3868	z4235265.exe	75
PID 3868 wrote to memory of 2488	3868	z4235265.exe	75
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77
PID 2488 wrote to memory of 4468	2488	r8927662.exe	77

C:\Users\Admin\AppData\Local\Temp\4c1bc47eac03ad163f3aff07ad015f1944694807a7d74cadd7f2593f1333a515.exe
"C:\Users\Admin\AppData\Local\Temp\4c1bc47eac03ad163f3aff07ad015f1944694807a7d74cadd7f2593f1333a515.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8514246.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8514246.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6939157.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6939157.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0325295.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0325295.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:236
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4235265.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4235265.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7910549.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7910549.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8927662.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8927662.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 568
        8⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 584
        7⤵
        Program crash
        
        PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8514246.exe

Filesize
937KB

MD5
0358c094e15ec1d93d95606989788456

SHA1
43f3278c2f4e4719c39c3564b16a49c562a76198

SHA256
311912ff42bda3ba16ada123a97bbfb352bed6e00e5eef4a0e800915901f981c

SHA512
1956913775c870055b91d7008c1ffe530eb698838a30c5292744d3fe353be23a13f649761436cc4072d23c5ca7940246ed4a7b888aa578141f77f99a82ca14b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8514246.exe

Filesize
937KB

MD5
0358c094e15ec1d93d95606989788456

SHA1
43f3278c2f4e4719c39c3564b16a49c562a76198

SHA256
311912ff42bda3ba16ada123a97bbfb352bed6e00e5eef4a0e800915901f981c

SHA512
1956913775c870055b91d7008c1ffe530eb698838a30c5292744d3fe353be23a13f649761436cc4072d23c5ca7940246ed4a7b888aa578141f77f99a82ca14b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6939157.exe

Filesize
754KB

MD5
bc0072c6801c8a0ef8193761547eed6d

SHA1
a0879c945022b2de3b6dc46e28337b3205c2d327

SHA256
a88a81bee0d72e788efacbe7402b68bf3d724eba6f5937ac13124d2cd1042354

SHA512
12af0b78fa1c1c8494a1bff49896be8f3df95b41398848534d389494611919029e29ec7297d0d5ebdd3f9d72882213e50b696d9dac3c40963e6a479351ad9238

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6939157.exe

Filesize
754KB

MD5
bc0072c6801c8a0ef8193761547eed6d

SHA1
a0879c945022b2de3b6dc46e28337b3205c2d327

SHA256
a88a81bee0d72e788efacbe7402b68bf3d724eba6f5937ac13124d2cd1042354

SHA512
12af0b78fa1c1c8494a1bff49896be8f3df95b41398848534d389494611919029e29ec7297d0d5ebdd3f9d72882213e50b696d9dac3c40963e6a479351ad9238

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0325295.exe

Filesize
572KB

MD5
505911bbcd3e9ffb638df690b31fa3ba

SHA1
5224f468fb442a86ebb80244c9ff0617c185f256

SHA256
d872c1776dd1cef31e1db6273a8e60b051cce887d98ce1b7ccf3cd8e55853620

SHA512
95dc6bd9e86ac2419b7b635e1be85c0e3bbcc1c51bcb15be63e5753ccc36eea4566eaeb7b469b6a90961e20bac2d4c26714902aaf77ef0ef84a1c39bd65afaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0325295.exe

Filesize
572KB

MD5
505911bbcd3e9ffb638df690b31fa3ba

SHA1
5224f468fb442a86ebb80244c9ff0617c185f256

SHA256
d872c1776dd1cef31e1db6273a8e60b051cce887d98ce1b7ccf3cd8e55853620

SHA512
95dc6bd9e86ac2419b7b635e1be85c0e3bbcc1c51bcb15be63e5753ccc36eea4566eaeb7b469b6a90961e20bac2d4c26714902aaf77ef0ef84a1c39bd65afaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4235265.exe

Filesize
309KB

MD5
87d70f5ed9156fdcefc5d2bfafa61b30

SHA1
1e51d536b2cab016a36778c41cf9627daee43446

SHA256
54bf88447d936b43faed37e15eb8f00ca672c8478db66b0a0e271da3c8db0e6b

SHA512
21e62907a83d0a8d01de9d353cfe3cca684ad8732f86b29763255d7b062abd137a16315c8f34ba93264f792284f34efbe6320f19147a1135963214866abe8056

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4235265.exe

Filesize
309KB

MD5
87d70f5ed9156fdcefc5d2bfafa61b30

SHA1
1e51d536b2cab016a36778c41cf9627daee43446

SHA256
54bf88447d936b43faed37e15eb8f00ca672c8478db66b0a0e271da3c8db0e6b

SHA512
21e62907a83d0a8d01de9d353cfe3cca684ad8732f86b29763255d7b062abd137a16315c8f34ba93264f792284f34efbe6320f19147a1135963214866abe8056

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7910549.exe

Filesize
11KB

MD5
8049e71888ff041f4fa1afce82cc1dd6

SHA1
057a9a55a81dae9428d7023f11dabfb2d2b8095f

SHA256
479076695d105e53b0116565376c01af1a216c2f4a62389f9eef696b78c0dda6

SHA512
570b943be0eee0482f7af50a617b9e5978b3c578c24acf79c1c88297389949c98c8e1afed6a7e8513899cb5986c3700d79332170bba712a771ce739191acbebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7910549.exe

Filesize
11KB

MD5
8049e71888ff041f4fa1afce82cc1dd6

SHA1
057a9a55a81dae9428d7023f11dabfb2d2b8095f

SHA256
479076695d105e53b0116565376c01af1a216c2f4a62389f9eef696b78c0dda6

SHA512
570b943be0eee0482f7af50a617b9e5978b3c578c24acf79c1c88297389949c98c8e1afed6a7e8513899cb5986c3700d79332170bba712a771ce739191acbebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8927662.exe

Filesize
304KB

MD5
6ac2afbeb297f521e75c9359bbcfb9ec

SHA1
0726cd96bc058f52b53738f57b4f95fc9802a41f

SHA256
dd149505d183fcc5ee9bc187c5d10fac72c407c85ceee8ba8f1b026827aa3221

SHA512
3cbf4ef4dbddc2da6a78619a8b62da7b6aea95d502e6a840b08c8d2a12529b2bcad70dfe4089a7ecf3957c216a3f10c81c914cbfa29bafd4d61e908c4738616a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8927662.exe

Filesize
304KB

MD5
6ac2afbeb297f521e75c9359bbcfb9ec

SHA1
0726cd96bc058f52b53738f57b4f95fc9802a41f

SHA256
dd149505d183fcc5ee9bc187c5d10fac72c407c85ceee8ba8f1b026827aa3221

SHA512
3cbf4ef4dbddc2da6a78619a8b62da7b6aea95d502e6a840b08c8d2a12529b2bcad70dfe4089a7ecf3957c216a3f10c81c914cbfa29bafd4d61e908c4738616a

Download Submit
memory/1360-35-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

Filesize
40KB

Download
memory/1360-36-0x00007FFEE29E0000-0x00007FFEE33CC000-memory.dmp

Filesize
9.9MB

Download
memory/1360-38-0x00007FFEE29E0000-0x00007FFEE33CC000-memory.dmp

Filesize
9.9MB

Download
memory/4468-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4468-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4468-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4468-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download