healer | e6f93bea28f6b9d362ae02eef187d369cb6b81cf01558df5a499429aa2ebc771

Analysis

max time kernel
135s
max time network
140s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02/10/2023, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6f93bea28f6b9d362ae02eef187d369cb6b81cf01558df5a499429aa2ebc771.exe
Size

1.0MB
MD5

b120dc868a8ccc79f8fa9546942c17ca
SHA1

68dfb5cc5f325e957ab1bd03d31c2815db29e093
SHA256

e6f93bea28f6b9d362ae02eef187d369cb6b81cf01558df5a499429aa2ebc771
SHA512

882836ba95a032602a15b7505356e8b1b6fb61c7ec84abf4cb9719afe0a068bb2ef14e83bc8298125c8d9adf6a45621a6f83f78ed8569352e2dd007a37b1e78d
SSDEEP

24576:TyxbRNCaPD7nb5/47ftxIqA8cHPpPGfOpLHzWjOrpON:mxbRNCGbwft/4vpPGfOpLTWjl

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afdc-33.dat	healer
behavioral1/files/0x000700000001afdc-34.dat	healer
behavioral1/memory/4328-35-0x00000000000C0000-0x00000000000CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q1296940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q1296940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q1296940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q1296940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q1296940.exe

Executes dropped EXE 6 IoCs

pid	Process
380	z5178889.exe
3532	z8418320.exe
2516	z5628009.exe
4820	z7982498.exe
4328	q1296940.exe
2112	r8973877.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q1296940.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z7982498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e6f93bea28f6b9d362ae02eef187d369cb6b81cf01558df5a499429aa2ebc771.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5178889.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8418320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5628009.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 4020	2112	r8973877.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
420	2112	WerFault.exe	75
2820	4020	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4328	q1296940.exe
4328	q1296940.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	q1296940.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 380	2696	e6f93bea28f6b9d362ae02eef187d369cb6b81cf01558df5a499429aa2ebc771.exe	70
PID 2696 wrote to memory of 380	2696	e6f93bea28f6b9d362ae02eef187d369cb6b81cf01558df5a499429aa2ebc771.exe	70
PID 2696 wrote to memory of 380	2696	e6f93bea28f6b9d362ae02eef187d369cb6b81cf01558df5a499429aa2ebc771.exe	70
PID 380 wrote to memory of 3532	380	z5178889.exe	71
PID 380 wrote to memory of 3532	380	z5178889.exe	71
PID 380 wrote to memory of 3532	380	z5178889.exe	71
PID 3532 wrote to memory of 2516	3532	z8418320.exe	72
PID 3532 wrote to memory of 2516	3532	z8418320.exe	72
PID 3532 wrote to memory of 2516	3532	z8418320.exe	72
PID 2516 wrote to memory of 4820	2516	z5628009.exe	73
PID 2516 wrote to memory of 4820	2516	z5628009.exe	73
PID 2516 wrote to memory of 4820	2516	z5628009.exe	73
PID 4820 wrote to memory of 4328	4820	z7982498.exe	74
PID 4820 wrote to memory of 4328	4820	z7982498.exe	74
PID 4820 wrote to memory of 2112	4820	z7982498.exe	75
PID 4820 wrote to memory of 2112	4820	z7982498.exe	75
PID 4820 wrote to memory of 2112	4820	z7982498.exe	75
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77
PID 2112 wrote to memory of 4020	2112	r8973877.exe	77

C:\Users\Admin\AppData\Local\Temp\e6f93bea28f6b9d362ae02eef187d369cb6b81cf01558df5a499429aa2ebc771.exe
"C:\Users\Admin\AppData\Local\Temp\e6f93bea28f6b9d362ae02eef187d369cb6b81cf01558df5a499429aa2ebc771.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5178889.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5178889.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8418320.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8418320.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5628009.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5628009.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7982498.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7982498.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1296940.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1296940.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8973877.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8973877.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 568
        8⤵
        Program crash
        
        PID:2820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 144
        7⤵
        Program crash
        
        PID:420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5178889.exe

Filesize
938KB

MD5
656bf88beb2ab04e94bc42a637c7384a

SHA1
62d21f3d87ae01b7cfecdd87171961908d3505f7

SHA256
e05d83b5a0c825c5f04f1dda4ac0d6e0604be08d30609dedbc7c2679d8f7de13

SHA512
191bf448b79f2abe5567ad1ef18a6dc81ec529e82e90ae82500ae3d4559cb53a53dbff52160b702149259c7d40d3d241caea008eb2df6b01da0e388fe21544a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5178889.exe

Filesize
938KB

MD5
656bf88beb2ab04e94bc42a637c7384a

SHA1
62d21f3d87ae01b7cfecdd87171961908d3505f7

SHA256
e05d83b5a0c825c5f04f1dda4ac0d6e0604be08d30609dedbc7c2679d8f7de13

SHA512
191bf448b79f2abe5567ad1ef18a6dc81ec529e82e90ae82500ae3d4559cb53a53dbff52160b702149259c7d40d3d241caea008eb2df6b01da0e388fe21544a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8418320.exe

Filesize
755KB

MD5
34438a41f20e3855a75503f5cbcc2374

SHA1
2c38bd945543290a6736832c52d0cfc59b8501f5

SHA256
b73aec81339cf8c42e5aa8a8772476625108d369122b6ce26c671a36454e669f

SHA512
3b46f9e13db2e58d9caf7764bcb7b283379e21c1f087fd4e5041bd09358ff7dcd4fafccfa19516f07116c119df6d1170552d5e27abca600fd89cc323de97732c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8418320.exe

Filesize
755KB

MD5
34438a41f20e3855a75503f5cbcc2374

SHA1
2c38bd945543290a6736832c52d0cfc59b8501f5

SHA256
b73aec81339cf8c42e5aa8a8772476625108d369122b6ce26c671a36454e669f

SHA512
3b46f9e13db2e58d9caf7764bcb7b283379e21c1f087fd4e5041bd09358ff7dcd4fafccfa19516f07116c119df6d1170552d5e27abca600fd89cc323de97732c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5628009.exe

Filesize
572KB

MD5
de8425cd5487f3f34293569c7ac5dd55

SHA1
1e590796e6629dfda4d3afa3a83b69f0f0b6a44c

SHA256
4de9a815944a22e7f60a86005802b28cafa677d28c06a5ee48b8c0a0c49d93c9

SHA512
40c0d16dfd13b55471264ad5ac9661f208951ff44e7f2a70a22b8d2372b922a0fdae0c909c6d93c421b91a6682a9fbd2c3fb63b9e6044eee039372a9c587e835

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5628009.exe

Filesize
572KB

MD5
de8425cd5487f3f34293569c7ac5dd55

SHA1
1e590796e6629dfda4d3afa3a83b69f0f0b6a44c

SHA256
4de9a815944a22e7f60a86005802b28cafa677d28c06a5ee48b8c0a0c49d93c9

SHA512
40c0d16dfd13b55471264ad5ac9661f208951ff44e7f2a70a22b8d2372b922a0fdae0c909c6d93c421b91a6682a9fbd2c3fb63b9e6044eee039372a9c587e835

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7982498.exe

Filesize
309KB

MD5
05078e87e208afdc05be6a7dae2786f9

SHA1
c953564407947b7434446895bfa6048dc6017077

SHA256
a6d57b1765ec4ad4b09bf1ae0e000c564bd66a8c6d1ead5a7bc27b97a2cd3c3c

SHA512
b21c71a0f005d2b6869cf681738b405de6df12b261944dc78e3f89ecb171e500c9f51af7b060ad24446b33a662ce0e68e02a9976484866956dba17b471cbca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7982498.exe

Filesize
309KB

MD5
05078e87e208afdc05be6a7dae2786f9

SHA1
c953564407947b7434446895bfa6048dc6017077

SHA256
a6d57b1765ec4ad4b09bf1ae0e000c564bd66a8c6d1ead5a7bc27b97a2cd3c3c

SHA512
b21c71a0f005d2b6869cf681738b405de6df12b261944dc78e3f89ecb171e500c9f51af7b060ad24446b33a662ce0e68e02a9976484866956dba17b471cbca7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1296940.exe

Filesize
11KB

MD5
1c420bd47a6d502fc547a339e9106b86

SHA1
8d7de1494bd7114b5b9873d909a8af8d7e5fcdd4

SHA256
dc6650de954640548640046f7b28e5bdb4d76088ad69b9a92c2dca357c17fb9e

SHA512
5d4141dfdf1b6d355ad2cb37bd021106661880b9cc05899bd0a4c7a0bdf05e76ec2366b2da1a2fbd572c442c8ac8d7bc70a22bb8ed845704f5ee3c390c10944f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1296940.exe

Filesize
11KB

MD5
1c420bd47a6d502fc547a339e9106b86

SHA1
8d7de1494bd7114b5b9873d909a8af8d7e5fcdd4

SHA256
dc6650de954640548640046f7b28e5bdb4d76088ad69b9a92c2dca357c17fb9e

SHA512
5d4141dfdf1b6d355ad2cb37bd021106661880b9cc05899bd0a4c7a0bdf05e76ec2366b2da1a2fbd572c442c8ac8d7bc70a22bb8ed845704f5ee3c390c10944f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8973877.exe

Filesize
304KB

MD5
428b9bafdcb24f2d5014be4f7e864120

SHA1
46fb9b1e5d54bfa4344ba1610b79ae85edf634c6

SHA256
064bdcc2fdb8f08d1321ccac244bf1b834f40ebff1ed0cfe90dcf1d9d19589d6

SHA512
f3c8f21fffad17581e70941891a69ec5cedaf845d9650df9e6118b66a15c8f57063ea21aca320f01657f0d8ff4d65eddfdfbd9a080e83d5ba29565f8ac68868e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8973877.exe

Filesize
304KB

MD5
428b9bafdcb24f2d5014be4f7e864120

SHA1
46fb9b1e5d54bfa4344ba1610b79ae85edf634c6

SHA256
064bdcc2fdb8f08d1321ccac244bf1b834f40ebff1ed0cfe90dcf1d9d19589d6

SHA512
f3c8f21fffad17581e70941891a69ec5cedaf845d9650df9e6118b66a15c8f57063ea21aca320f01657f0d8ff4d65eddfdfbd9a080e83d5ba29565f8ac68868e

Download Submit
memory/4020-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4020-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4020-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4020-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4328-35-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/4328-36-0x00007FFD349D0000-0x00007FFD353BC000-memory.dmp

Filesize
9.9MB

Download
memory/4328-38-0x00007FFD349D0000-0x00007FFD353BC000-memory.dmp

Filesize
9.9MB

Download