healer | b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20

Analysis

max time kernel
127s
max time network
133s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
03-10-2023 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe
Size

1.0MB
MD5

74695d85457c37dd2ca0ea211e5785c5
SHA1

2dd020ba103aa5cf5a1e2f1e0d1896da54da5644
SHA256

b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20
SHA512

363dbf33d418c6b74135451bf121a7f81a39bdbdf9906b627fa52f9a408bdbfb5779ec6f7d8aef0ee7cddda5ced0cd3163fcde6722f885bba8deda62c7188db3
SSDEEP

24576:+yzu61wxLpQJwjCkXMUNHJSrGFACMuy/hjVq5/CLh:NmpQmCkXHNpzJy/hg5/m

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af8b-33.dat	healer
behavioral1/files/0x000700000001af8b-34.dat	healer
behavioral1/memory/656-35-0x0000000000970000-0x000000000097A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q9797964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q9797964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q9797964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q9797964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q9797964.exe

Executes dropped EXE 6 IoCs

pid	Process
200	z8452820.exe
764	z9812812.exe
2476	z2452599.exe
4164	z8405370.exe
656	q9797964.exe
2332	r3304296.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q9797964.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9812812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2452599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z8405370.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8452820.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 3128	2332	r3304296.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1124	2332	WerFault.exe	75
1872	3128	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
656	q9797964.exe
656	q9797964.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	q9797964.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 200	332	b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe	70
PID 332 wrote to memory of 200	332	b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe	70
PID 332 wrote to memory of 200	332	b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe	70
PID 200 wrote to memory of 764	200	z8452820.exe	71
PID 200 wrote to memory of 764	200	z8452820.exe	71
PID 200 wrote to memory of 764	200	z8452820.exe	71
PID 764 wrote to memory of 2476	764	z9812812.exe	72
PID 764 wrote to memory of 2476	764	z9812812.exe	72
PID 764 wrote to memory of 2476	764	z9812812.exe	72
PID 2476 wrote to memory of 4164	2476	z2452599.exe	73
PID 2476 wrote to memory of 4164	2476	z2452599.exe	73
PID 2476 wrote to memory of 4164	2476	z2452599.exe	73
PID 4164 wrote to memory of 656	4164	z8405370.exe	74
PID 4164 wrote to memory of 656	4164	z8405370.exe	74
PID 4164 wrote to memory of 2332	4164	z8405370.exe	75
PID 4164 wrote to memory of 2332	4164	z8405370.exe	75
PID 4164 wrote to memory of 2332	4164	z8405370.exe	75
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77
PID 2332 wrote to memory of 3128	2332	r3304296.exe	77

C:\Users\Admin\AppData\Local\Temp\b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe
"C:\Users\Admin\AppData\Local\Temp\b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 568
        8⤵
        Program crash
        
        PID:1872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 604
        7⤵
        Program crash
        
        PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe

Filesize
906KB

MD5
d067519496ac56226e4ca0a4a21adea2

SHA1
306093ba592ea835613fc4fe1bc02a68a1c82b89

SHA256
249b02bb16ea7fc59c3c112608ce7682402242f756ac6359484b641c405e7fb8

SHA512
ea4f346d18fa3b144263f20993ad2864fd838cd906ba4db8fe20f76c1619f143c2e8e73ce848b5e6f8d402526ea106be6afde5509f95bebead8588e08b3a3d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe

Filesize
906KB

MD5
d067519496ac56226e4ca0a4a21adea2

SHA1
306093ba592ea835613fc4fe1bc02a68a1c82b89

SHA256
249b02bb16ea7fc59c3c112608ce7682402242f756ac6359484b641c405e7fb8

SHA512
ea4f346d18fa3b144263f20993ad2864fd838cd906ba4db8fe20f76c1619f143c2e8e73ce848b5e6f8d402526ea106be6afde5509f95bebead8588e08b3a3d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe

Filesize
723KB

MD5
05707e311c996caee4862edf9a797f55

SHA1
f76f2f346aea5f04b760b2ed787f660b507b8138

SHA256
fc31a6ce744069eaa11e12cf0cb695268580adc43d2892a4b3fe55208c4683ed

SHA512
ad8e68b28940358b849f214c7b94b112845af74c94ba717c70d9c7ddc71d17bad53af22e7f2f09dbf0a24e8e693fc62b317cdaca0f2ed24262cd4369e3f811c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe

Filesize
723KB

MD5
05707e311c996caee4862edf9a797f55

SHA1
f76f2f346aea5f04b760b2ed787f660b507b8138

SHA256
fc31a6ce744069eaa11e12cf0cb695268580adc43d2892a4b3fe55208c4683ed

SHA512
ad8e68b28940358b849f214c7b94b112845af74c94ba717c70d9c7ddc71d17bad53af22e7f2f09dbf0a24e8e693fc62b317cdaca0f2ed24262cd4369e3f811c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe

Filesize
540KB

MD5
105bf4a316fb664e65b2e97ad6a5ecfd

SHA1
5c174d8a20a64fac0a9eadbef4b13bf69c35683e

SHA256
6a0b16bbf0a5d5a20005fd9253001e89a1fc4e5016e291f21096df7b09e72396

SHA512
a25bcab66e7ef758ead67a085a561169b090f38a211fba92304531b21e37ea783a8afe519b115481321870124fee450072ed635d6993397ef37bc76926f736e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe

Filesize
540KB

MD5
105bf4a316fb664e65b2e97ad6a5ecfd

SHA1
5c174d8a20a64fac0a9eadbef4b13bf69c35683e

SHA256
6a0b16bbf0a5d5a20005fd9253001e89a1fc4e5016e291f21096df7b09e72396

SHA512
a25bcab66e7ef758ead67a085a561169b090f38a211fba92304531b21e37ea783a8afe519b115481321870124fee450072ed635d6993397ef37bc76926f736e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe

Filesize
293KB

MD5
3c5adf796fd3080ff3b5e72c417b669b

SHA1
2a8781090ae982ac09c709322b07221b53a38362

SHA256
206680f5afd989d83b103d8d0afc86bd7798afd4d67687a5b73f9fc5eadbdd21

SHA512
bb90b07668bd1c9e5c8d8bdd231fab25ef2d8213487cee506cc936ece957622ad9c0ab4e130e059a0c31db548872b38a9a39667922c334482f13143e7fd581bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe

Filesize
293KB

MD5
3c5adf796fd3080ff3b5e72c417b669b

SHA1
2a8781090ae982ac09c709322b07221b53a38362

SHA256
206680f5afd989d83b103d8d0afc86bd7798afd4d67687a5b73f9fc5eadbdd21

SHA512
bb90b07668bd1c9e5c8d8bdd231fab25ef2d8213487cee506cc936ece957622ad9c0ab4e130e059a0c31db548872b38a9a39667922c334482f13143e7fd581bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe

Filesize
12KB

MD5
522f3d34513d6cd6738a96dbf024a7ab

SHA1
6999a9dedaec290805e8a387469e54ba6deccb57

SHA256
5f9253f321622fd22e214d58154284462a6580d96dbfead4f0c8c58737ee9091

SHA512
c440da254f557a981585144524813c069c5f49806479db43df5adfefaac01b7ac52d29fb0c850d2d4f297fa616d2788222c6a1284a1b283dfc9b346743919451

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe

Filesize
12KB

MD5
522f3d34513d6cd6738a96dbf024a7ab

SHA1
6999a9dedaec290805e8a387469e54ba6deccb57

SHA256
5f9253f321622fd22e214d58154284462a6580d96dbfead4f0c8c58737ee9091

SHA512
c440da254f557a981585144524813c069c5f49806479db43df5adfefaac01b7ac52d29fb0c850d2d4f297fa616d2788222c6a1284a1b283dfc9b346743919451

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe

Filesize
285KB

MD5
13f89dd0b3e5c439f324930e406a5bda

SHA1
bda6c49c22abcdb7839cfff56b40d53eed6359dd

SHA256
817bc048781e236e42702521f82550b1a85060fa1e4a0caf08a6547c35baa4bc

SHA512
a02c15161d82db9219a69e38e336ab1a2c3e7e77aa16e7f614219d5859ea37e7d38e4372a7adbaf146508713d96781eebced31624ebbdecb58c9820859bafe28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe

Filesize
285KB

MD5
13f89dd0b3e5c439f324930e406a5bda

SHA1
bda6c49c22abcdb7839cfff56b40d53eed6359dd

SHA256
817bc048781e236e42702521f82550b1a85060fa1e4a0caf08a6547c35baa4bc

SHA512
a02c15161d82db9219a69e38e336ab1a2c3e7e77aa16e7f614219d5859ea37e7d38e4372a7adbaf146508713d96781eebced31624ebbdecb58c9820859bafe28

Download Submit
memory/656-35-0x0000000000970000-0x000000000097A000-memory.dmp

Filesize
40KB

Download
memory/656-36-0x00007FFF1BCD0000-0x00007FFF1C6BC000-memory.dmp

Filesize
9.9MB

Download
memory/656-38-0x00007FFF1BCD0000-0x00007FFF1C6BC000-memory.dmp

Filesize
9.9MB

Download
memory/3128-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3128-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3128-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3128-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download