healer | 35e68e953b84487b55aeb72d5c708ee759b446ec6b03696d84accf392661a6e1

Analysis

max time kernel
114s
max time network
118s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
03-10-2023 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35e68e953b84487b55aeb72d5c708ee759b446ec6b03696d84accf392661a6e1.exe
Size

877KB
MD5

3be4bb80f9f4e60bda782c722a5080b2
SHA1

de19fb38014c1547ce043dd77a33b51939f4c1bc
SHA256

35e68e953b84487b55aeb72d5c708ee759b446ec6b03696d84accf392661a6e1
SHA512

9eb59f427cfc0ddae3c0c0c9c72ccee25fa791dd462b70f43a79486608668b8ad62e9be9e9b7968344949fc03b809810c552148ba3b955b659cfb73cd744d7ac
SSDEEP

12288:eMr9y909oQLcflvyLa7lCl4bspSV1DGGKnVNbWPkLO4IzORpFuRELzzGk5U3:ryQcfTAl4bZCGKnVNbWsC9vRm55U3

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b01f-26.dat	healer
behavioral1/files/0x000700000001b01f-27.dat	healer
behavioral1/memory/1032-28-0x0000000000190000-0x000000000019A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1dO96IA7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1dO96IA7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1dO96IA7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1dO96IA7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1dO96IA7.exe

Executes dropped EXE 5 IoCs

pid	Process
4800	Cm2SP83.exe
2988	QS5ug48.exe
4688	WB2Vh54.exe
1032	1dO96IA7.exe
4356	2Yt9999.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1dO96IA7.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	35e68e953b84487b55aeb72d5c708ee759b446ec6b03696d84accf392661a6e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Cm2SP83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	QS5ug48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	WB2Vh54.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4356 set thread context of 3724	4356	2Yt9999.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1268	4356	WerFault.exe	74
1908	3724	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1032	1dO96IA7.exe
1032	1dO96IA7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	1dO96IA7.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 4800	3108	35e68e953b84487b55aeb72d5c708ee759b446ec6b03696d84accf392661a6e1.exe	70
PID 3108 wrote to memory of 4800	3108	35e68e953b84487b55aeb72d5c708ee759b446ec6b03696d84accf392661a6e1.exe	70
PID 3108 wrote to memory of 4800	3108	35e68e953b84487b55aeb72d5c708ee759b446ec6b03696d84accf392661a6e1.exe	70
PID 4800 wrote to memory of 2988	4800	Cm2SP83.exe	71
PID 4800 wrote to memory of 2988	4800	Cm2SP83.exe	71
PID 4800 wrote to memory of 2988	4800	Cm2SP83.exe	71
PID 2988 wrote to memory of 4688	2988	QS5ug48.exe	72
PID 2988 wrote to memory of 4688	2988	QS5ug48.exe	72
PID 2988 wrote to memory of 4688	2988	QS5ug48.exe	72
PID 4688 wrote to memory of 1032	4688	WB2Vh54.exe	73
PID 4688 wrote to memory of 1032	4688	WB2Vh54.exe	73
PID 4688 wrote to memory of 4356	4688	WB2Vh54.exe	74
PID 4688 wrote to memory of 4356	4688	WB2Vh54.exe	74
PID 4688 wrote to memory of 4356	4688	WB2Vh54.exe	74
PID 4356 wrote to memory of 4052	4356	2Yt9999.exe	76
PID 4356 wrote to memory of 4052	4356	2Yt9999.exe	76
PID 4356 wrote to memory of 4052	4356	2Yt9999.exe	76
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77
PID 4356 wrote to memory of 3724	4356	2Yt9999.exe	77

C:\Users\Admin\AppData\Local\Temp\35e68e953b84487b55aeb72d5c708ee759b446ec6b03696d84accf392661a6e1.exe
"C:\Users\Admin\AppData\Local\Temp\35e68e953b84487b55aeb72d5c708ee759b446ec6b03696d84accf392661a6e1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cm2SP83.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cm2SP83.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QS5ug48.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QS5ug48.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WB2Vh54.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WB2Vh54.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dO96IA7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dO96IA7.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yt9999.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yt9999.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 568
        7⤵
        Program crash
        
        PID:1908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 576
        6⤵
        Program crash
        
        PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cm2SP83.exe

Filesize
737KB

MD5
cc761c2b752142a0602042a1c8ce157f

SHA1
5733b56cbb43c45b2a6ea1471cbd299eb3619155

SHA256
4e39c83e5b0d32fc3c2e7a14d6e3316b7261e180ded777f7dac180023571eab5

SHA512
a058843b47c0baa3b0c2cb19468929558a4a2b8ee00fffa6ee4cd58dd03a4ce1aaebc3eacacc491f720adae4499e4571471f3bec8d52d6b796a58b228ed601b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cm2SP83.exe

Filesize
737KB

MD5
cc761c2b752142a0602042a1c8ce157f

SHA1
5733b56cbb43c45b2a6ea1471cbd299eb3619155

SHA256
4e39c83e5b0d32fc3c2e7a14d6e3316b7261e180ded777f7dac180023571eab5

SHA512
a058843b47c0baa3b0c2cb19468929558a4a2b8ee00fffa6ee4cd58dd03a4ce1aaebc3eacacc491f720adae4499e4571471f3bec8d52d6b796a58b228ed601b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QS5ug48.exe

Filesize
490KB

MD5
fc2105c2b688feab1a93e387204cf61d

SHA1
ccfce0a848f717f81733ce5ed330437b610db4f7

SHA256
2903ef5e6eb19fa7ab689350bcb39f2b1b45d79c6c25804113a2661ebe22b0c8

SHA512
fce61fa3264766fe1ffeeaf23123314dca81d727bbe2a53d37d47f31332b8a9fe83b38f8d6840fd5c2ce6fae9b879a2ae2d4659f2dc2066536357b631d61a943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QS5ug48.exe

Filesize
490KB

MD5
fc2105c2b688feab1a93e387204cf61d

SHA1
ccfce0a848f717f81733ce5ed330437b610db4f7

SHA256
2903ef5e6eb19fa7ab689350bcb39f2b1b45d79c6c25804113a2661ebe22b0c8

SHA512
fce61fa3264766fe1ffeeaf23123314dca81d727bbe2a53d37d47f31332b8a9fe83b38f8d6840fd5c2ce6fae9b879a2ae2d4659f2dc2066536357b631d61a943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WB2Vh54.exe

Filesize
293KB

MD5
fa6c30ec846c40d7efcc452f222f08c2

SHA1
44888d6c51d4e31915f37225b4025f1b72266bfa

SHA256
bf5b20ce9804d5e190a4b07af863b196e37b59ef5c67796f44758bede36d9ac8

SHA512
ea1e65a9b0f41f559a00f71915575a94f878a7df91b6f2b714c87ccd057a25f7043d12571213a4a6e69394b7e065da0950fd5da926c80077ab1bfdbf2f54d947

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WB2Vh54.exe

Filesize
293KB

MD5
fa6c30ec846c40d7efcc452f222f08c2

SHA1
44888d6c51d4e31915f37225b4025f1b72266bfa

SHA256
bf5b20ce9804d5e190a4b07af863b196e37b59ef5c67796f44758bede36d9ac8

SHA512
ea1e65a9b0f41f559a00f71915575a94f878a7df91b6f2b714c87ccd057a25f7043d12571213a4a6e69394b7e065da0950fd5da926c80077ab1bfdbf2f54d947

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dO96IA7.exe

Filesize
12KB

MD5
c3b47a80a28cc450754a883d9fdaf65b

SHA1
870df201d57239320785b315f654efab12dc6a6a

SHA256
901855ba1e6be580ef17e205d406292ad7e2292513234a7e1754b26e815e5e01

SHA512
8659d725eaf314c62451bbd6ad1a549190f8000a05c56c2e87002861bc1855839c5206f3befdee36989f8d62b1f27d7b2f86c4110c6a2ac265bfde9dfe35da15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dO96IA7.exe

Filesize
12KB

MD5
c3b47a80a28cc450754a883d9fdaf65b

SHA1
870df201d57239320785b315f654efab12dc6a6a

SHA256
901855ba1e6be580ef17e205d406292ad7e2292513234a7e1754b26e815e5e01

SHA512
8659d725eaf314c62451bbd6ad1a549190f8000a05c56c2e87002861bc1855839c5206f3befdee36989f8d62b1f27d7b2f86c4110c6a2ac265bfde9dfe35da15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yt9999.exe

Filesize
285KB

MD5
6c4b3a25b1cc20497042654dfd9e7c03

SHA1
92616b76e2a74879d3cefe2cd3f11c7b30e42e87

SHA256
7324446f3a20bc99ab50001cc7ed93d54af6d59241143cdaee2c516360d77c6d

SHA512
fbb0eb2ebf42f7ae487095cc72ed99e362573e1c52ac46ec83f62bfad604cc04c06c39d22cb265b52422e41d6a160aeb7ce4430c6fee87c05e8c0c423034b64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yt9999.exe

Filesize
285KB

MD5
6c4b3a25b1cc20497042654dfd9e7c03

SHA1
92616b76e2a74879d3cefe2cd3f11c7b30e42e87

SHA256
7324446f3a20bc99ab50001cc7ed93d54af6d59241143cdaee2c516360d77c6d

SHA512
fbb0eb2ebf42f7ae487095cc72ed99e362573e1c52ac46ec83f62bfad604cc04c06c39d22cb265b52422e41d6a160aeb7ce4430c6fee87c05e8c0c423034b64d

Download Submit
memory/1032-31-0x00007FFA75960000-0x00007FFA7634C000-memory.dmp

Filesize
9.9MB

Download
memory/1032-29-0x00007FFA75960000-0x00007FFA7634C000-memory.dmp

Filesize
9.9MB

Download
memory/1032-28-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/3724-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3724-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3724-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3724-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download