healer | bd13eb95197136d2127656acf910298b33a7a6d9ca990a2da6f3b9919affd5f3

Analysis

max time kernel
128s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
02/10/2023, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd13eb95197136d2127656acf910298b33a7a6d9ca990a2da6f3b9919affd5f3.exe
Size

1.1MB
MD5

dd8cf6125f3be41e6cdbbd0efdb37afe
SHA1

74afbaed38a1ee54316b40ca917bbb4436e01ff5
SHA256

bd13eb95197136d2127656acf910298b33a7a6d9ca990a2da6f3b9919affd5f3
SHA512

b46e4f9429630a57d6898388dce59bed2f01d20aa0f6f88ebd3f4cda8b59390d097f35c90aeb9c5de8f8ff1c6417b5f2b19ffe1d2340f78517b5a7b839498562
SSDEEP

24576:Ryf19lAN4khkoNE1rQZyNMGY+N3bfBUOabDn6:Ef7l9gGt3bW3Hn

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000001afc4-33.dat	healer
behavioral1/files/0x000800000001afc4-34.dat	healer
behavioral1/memory/4924-35-0x00000000005F0000-0x00000000005FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q9294437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q9294437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q9294437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q9294437.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q9294437.exe

Executes dropped EXE 6 IoCs

pid	Process
3416	z0309756.exe
1120	z5283081.exe
4272	z4133810.exe
1320	z3736255.exe
4924	q9294437.exe
4556	r4080267.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q9294437.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z3736255.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bd13eb95197136d2127656acf910298b33a7a6d9ca990a2da6f3b9919affd5f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0309756.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5283081.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4133810.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4556 set thread context of 4440	4556	r4080267.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4364	4440	WerFault.exe	77
5072	4556	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4924	q9294437.exe
4924	q9294437.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	q9294437.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 3416	4560	bd13eb95197136d2127656acf910298b33a7a6d9ca990a2da6f3b9919affd5f3.exe	70
PID 4560 wrote to memory of 3416	4560	bd13eb95197136d2127656acf910298b33a7a6d9ca990a2da6f3b9919affd5f3.exe	70
PID 4560 wrote to memory of 3416	4560	bd13eb95197136d2127656acf910298b33a7a6d9ca990a2da6f3b9919affd5f3.exe	70
PID 3416 wrote to memory of 1120	3416	z0309756.exe	71
PID 3416 wrote to memory of 1120	3416	z0309756.exe	71
PID 3416 wrote to memory of 1120	3416	z0309756.exe	71
PID 1120 wrote to memory of 4272	1120	z5283081.exe	72
PID 1120 wrote to memory of 4272	1120	z5283081.exe	72
PID 1120 wrote to memory of 4272	1120	z5283081.exe	72
PID 4272 wrote to memory of 1320	4272	z4133810.exe	73
PID 4272 wrote to memory of 1320	4272	z4133810.exe	73
PID 4272 wrote to memory of 1320	4272	z4133810.exe	73
PID 1320 wrote to memory of 4924	1320	z3736255.exe	74
PID 1320 wrote to memory of 4924	1320	z3736255.exe	74
PID 1320 wrote to memory of 4556	1320	z3736255.exe	75
PID 1320 wrote to memory of 4556	1320	z3736255.exe	75
PID 1320 wrote to memory of 4556	1320	z3736255.exe	75
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77
PID 4556 wrote to memory of 4440	4556	r4080267.exe	77

C:\Users\Admin\AppData\Local\Temp\bd13eb95197136d2127656acf910298b33a7a6d9ca990a2da6f3b9919affd5f3.exe
"C:\Users\Admin\AppData\Local\Temp\bd13eb95197136d2127656acf910298b33a7a6d9ca990a2da6f3b9919affd5f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0309756.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0309756.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5283081.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5283081.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4133810.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4133810.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3736255.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3736255.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9294437.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9294437.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4080267.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4080267.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 568
        8⤵
        Program crash
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 148
        7⤵
        Program crash
        
        PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0309756.exe

Filesize
938KB

MD5
bd980cdbaddcfbd3738b3347697b7573

SHA1
80e261d6809787cdeb2c1af30c84c3bb8ebfcbcc

SHA256
596c5214bc82fc3dab6c98b80508ce8ebd43d08886b09d0a579f61a04faf1298

SHA512
fb3f8539d0b32093991c5fce9283664db15b2eaef8214c1d89f2f5aecdefc98d7b9fa164cfedf4eab3327cfbdcdd64feaf94634e8342be2b9a8bb69638da0b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0309756.exe

Filesize
938KB

MD5
bd980cdbaddcfbd3738b3347697b7573

SHA1
80e261d6809787cdeb2c1af30c84c3bb8ebfcbcc

SHA256
596c5214bc82fc3dab6c98b80508ce8ebd43d08886b09d0a579f61a04faf1298

SHA512
fb3f8539d0b32093991c5fce9283664db15b2eaef8214c1d89f2f5aecdefc98d7b9fa164cfedf4eab3327cfbdcdd64feaf94634e8342be2b9a8bb69638da0b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5283081.exe

Filesize
755KB

MD5
1ecb8e1c99f62dea9fde22ffa63ca7c9

SHA1
1bd14c8eb0715e8d76982564715c89a6a886109f

SHA256
328f1803d2b30b1b4ba4b0f760009fec8fa39b79acff039deadc411ec4f28e5d

SHA512
ae385e3ab7e7bb4e3e9050e2dbb0832b23c92f0cb1defa771abfc4cfa887dc5444ef1e2f380f6692739399d68530deb9438fce7050aeb2520009e252a0aea29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5283081.exe

Filesize
755KB

MD5
1ecb8e1c99f62dea9fde22ffa63ca7c9

SHA1
1bd14c8eb0715e8d76982564715c89a6a886109f

SHA256
328f1803d2b30b1b4ba4b0f760009fec8fa39b79acff039deadc411ec4f28e5d

SHA512
ae385e3ab7e7bb4e3e9050e2dbb0832b23c92f0cb1defa771abfc4cfa887dc5444ef1e2f380f6692739399d68530deb9438fce7050aeb2520009e252a0aea29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4133810.exe

Filesize
572KB

MD5
563edf2cbf256c738dd8856fd0d69fe2

SHA1
346e2e897e883d18ce81f8917915b24fc9d00440

SHA256
4630184eaa142a81f272139510c3fc6dd24ac46075ff116add8520b3709d2778

SHA512
28e96db59da8c439c0d5dc9b066c3fc97df7928902a1084bc2a9764f15682bc2f39a053ccd2ad241f73e65d164433145d3c58ec26a6b8b689745c16ca6148ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4133810.exe

Filesize
572KB

MD5
563edf2cbf256c738dd8856fd0d69fe2

SHA1
346e2e897e883d18ce81f8917915b24fc9d00440

SHA256
4630184eaa142a81f272139510c3fc6dd24ac46075ff116add8520b3709d2778

SHA512
28e96db59da8c439c0d5dc9b066c3fc97df7928902a1084bc2a9764f15682bc2f39a053ccd2ad241f73e65d164433145d3c58ec26a6b8b689745c16ca6148ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3736255.exe

Filesize
309KB

MD5
30471136470fac76dc11d8a2c6f93bc3

SHA1
bdb683c1d68a8293d0fabf53bacbe5f249fabcdd

SHA256
32c3e87a0b0211626a47ba785f0120fe0126a1001437527f2de5094a3422797a

SHA512
bb39df967086c374664c91fe5be36b492c5ff1560c7cca4a6bc225811a13e665b8796c1eb50f4c2b228d5b0874bcfe18cec02ff9ed05c1f01a9453b51ac8e972

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3736255.exe

Filesize
309KB

MD5
30471136470fac76dc11d8a2c6f93bc3

SHA1
bdb683c1d68a8293d0fabf53bacbe5f249fabcdd

SHA256
32c3e87a0b0211626a47ba785f0120fe0126a1001437527f2de5094a3422797a

SHA512
bb39df967086c374664c91fe5be36b492c5ff1560c7cca4a6bc225811a13e665b8796c1eb50f4c2b228d5b0874bcfe18cec02ff9ed05c1f01a9453b51ac8e972

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9294437.exe

Filesize
11KB

MD5
7f778c11eeeac3a7294e4fcff7ece2ea

SHA1
b716aa92d4fa5e0984a5ee585a0a850965d98442

SHA256
e670a933d1e532620e8d8d633a361ea6bab66051d513a5f91f5d373f15c9243d

SHA512
e00cdbd81d6f38831b6ee8ee2e185a70e53beabbb4294edd502a99fa5900cf9b619171db3e61dba8b6e51b43c97fdfebda265b68ca2b184cff65eff28b6ac958

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9294437.exe

Filesize
11KB

MD5
7f778c11eeeac3a7294e4fcff7ece2ea

SHA1
b716aa92d4fa5e0984a5ee585a0a850965d98442

SHA256
e670a933d1e532620e8d8d633a361ea6bab66051d513a5f91f5d373f15c9243d

SHA512
e00cdbd81d6f38831b6ee8ee2e185a70e53beabbb4294edd502a99fa5900cf9b619171db3e61dba8b6e51b43c97fdfebda265b68ca2b184cff65eff28b6ac958

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4080267.exe

Filesize
304KB

MD5
f28654e1aff24e3e75f0d027e13272bd

SHA1
c57e0c9dca7e57c1c568aecd9448ff214f8a7173

SHA256
0da01afc1a21c0c1f5b0da514b1bdb759d7a089d48efdde469fa6500253c5e7b

SHA512
db7620904731896d3350140638f412ed9e0ee5cf8a3a059501f7d8658eacd293be8cf2133b003ef1c7aafa4f8504d242e781e51e0579a7669d18fdc950b56da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4080267.exe

Filesize
304KB

MD5
f28654e1aff24e3e75f0d027e13272bd

SHA1
c57e0c9dca7e57c1c568aecd9448ff214f8a7173

SHA256
0da01afc1a21c0c1f5b0da514b1bdb759d7a089d48efdde469fa6500253c5e7b

SHA512
db7620904731896d3350140638f412ed9e0ee5cf8a3a059501f7d8658eacd293be8cf2133b003ef1c7aafa4f8504d242e781e51e0579a7669d18fdc950b56da4

Download Submit
memory/4440-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4440-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4440-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4440-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4924-35-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/4924-36-0x00007FF9AA630000-0x00007FF9AB01C000-memory.dmp

Filesize
9.9MB

Download
memory/4924-38-0x00007FF9AA630000-0x00007FF9AB01C000-memory.dmp

Filesize
9.9MB

Download