healer | c1a70136b12d6a1f87ef789bf4b194ec7d26a51cf695985ccf0671427b14f770

Analysis

max time kernel
121s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
03-10-2023 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1a70136b12d6a1f87ef789bf4b194ec7d26a51cf695985ccf0671427b14f770.exe
Size

877KB
MD5

6660fa6a2b9976c2ed15960d286ea69b
SHA1

d356bc7f5ec0db67c773217c57763e636b4430c9
SHA256

c1a70136b12d6a1f87ef789bf4b194ec7d26a51cf695985ccf0671427b14f770
SHA512

83c525d66137371177fc1ae4e525790dd00304d1bec13e9a379b275a6f76753b0828258a6304ebe9182ed9029b8de0273a7a38b13618ba576ce805f9c1a01d02
SSDEEP

24576:8yb9Tqcie2avGgOFpFZ4hPWVkjrvx7q8M/+:rb9pf9lOFTZ4hPVr1q8

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af97-26.dat	healer
behavioral1/files/0x000700000001af97-27.dat	healer
behavioral1/memory/380-28-0x0000000000060000-0x000000000006A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1bu74mP1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1bu74mP1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1bu74mP1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1bu74mP1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1bu74mP1.exe

Executes dropped EXE 5 IoCs

pid	Process
4624	ZS2mB31.exe
5084	mZ6rJ79.exe
1828	uB5YD85.exe
380	1bu74mP1.exe
3508	2ux1387.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1bu74mP1.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mZ6rJ79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	uB5YD85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1a70136b12d6a1f87ef789bf4b194ec7d26a51cf695985ccf0671427b14f770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ZS2mB31.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3508 set thread context of 1896	3508	2ux1387.exe	75

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2972	3508	WerFault.exe	73
3260	1896	WerFault.exe	75

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
380	1bu74mP1.exe
380	1bu74mP1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	1bu74mP1.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 4624	2252	c1a70136b12d6a1f87ef789bf4b194ec7d26a51cf695985ccf0671427b14f770.exe	69
PID 2252 wrote to memory of 4624	2252	c1a70136b12d6a1f87ef789bf4b194ec7d26a51cf695985ccf0671427b14f770.exe	69
PID 2252 wrote to memory of 4624	2252	c1a70136b12d6a1f87ef789bf4b194ec7d26a51cf695985ccf0671427b14f770.exe	69
PID 4624 wrote to memory of 5084	4624	ZS2mB31.exe	70
PID 4624 wrote to memory of 5084	4624	ZS2mB31.exe	70
PID 4624 wrote to memory of 5084	4624	ZS2mB31.exe	70
PID 5084 wrote to memory of 1828	5084	mZ6rJ79.exe	71
PID 5084 wrote to memory of 1828	5084	mZ6rJ79.exe	71
PID 5084 wrote to memory of 1828	5084	mZ6rJ79.exe	71
PID 1828 wrote to memory of 380	1828	uB5YD85.exe	72
PID 1828 wrote to memory of 380	1828	uB5YD85.exe	72
PID 1828 wrote to memory of 3508	1828	uB5YD85.exe	73
PID 1828 wrote to memory of 3508	1828	uB5YD85.exe	73
PID 1828 wrote to memory of 3508	1828	uB5YD85.exe	73
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75
PID 3508 wrote to memory of 1896	3508	2ux1387.exe	75

C:\Users\Admin\AppData\Local\Temp\c1a70136b12d6a1f87ef789bf4b194ec7d26a51cf695985ccf0671427b14f770.exe
"C:\Users\Admin\AppData\Local\Temp\c1a70136b12d6a1f87ef789bf4b194ec7d26a51cf695985ccf0671427b14f770.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZS2mB31.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZS2mB31.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mZ6rJ79.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mZ6rJ79.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uB5YD85.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uB5YD85.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1bu74mP1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1bu74mP1.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ux1387.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ux1387.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 588
        7⤵
        Program crash
        
        PID:3260
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 580
        6⤵
        Program crash
        
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZS2mB31.exe

Filesize
737KB

MD5
d49fa1419d44e2f920e6d2f5dfcc575e

SHA1
6d1868c2cfc8823ae635602886b3ba6eabf62abb

SHA256
186b2c49d5024f6277a666446edb276ed95ab5c103d6df417a7e09d5fe450c47

SHA512
db6e304fd84492df1eb34e409c54768d97914896b3a757cac12731edaa9f362af5691eb802e44bc35facc232a3b3ec5158cf67ae79d12c60f9485b9f68d7bbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZS2mB31.exe

Filesize
737KB

MD5
d49fa1419d44e2f920e6d2f5dfcc575e

SHA1
6d1868c2cfc8823ae635602886b3ba6eabf62abb

SHA256
186b2c49d5024f6277a666446edb276ed95ab5c103d6df417a7e09d5fe450c47

SHA512
db6e304fd84492df1eb34e409c54768d97914896b3a757cac12731edaa9f362af5691eb802e44bc35facc232a3b3ec5158cf67ae79d12c60f9485b9f68d7bbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mZ6rJ79.exe

Filesize
490KB

MD5
22e46843620e1c100dc250f6b9d75a15

SHA1
eeb18d0f7b275e5983d9d7c6b950976502cdd0b4

SHA256
f4385be143767cd78f3d2758b5f773a728db71312f2dac8e69d1fe53ab7c8320

SHA512
f221619b1bb23014d133c84426333c6512aeaf87395ef673f50c7e53796f0769241f51dc3731430e2aff6cbb764f74130d0206033483c8e2cc70dd5b58d05075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mZ6rJ79.exe

Filesize
490KB

MD5
22e46843620e1c100dc250f6b9d75a15

SHA1
eeb18d0f7b275e5983d9d7c6b950976502cdd0b4

SHA256
f4385be143767cd78f3d2758b5f773a728db71312f2dac8e69d1fe53ab7c8320

SHA512
f221619b1bb23014d133c84426333c6512aeaf87395ef673f50c7e53796f0769241f51dc3731430e2aff6cbb764f74130d0206033483c8e2cc70dd5b58d05075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uB5YD85.exe

Filesize
293KB

MD5
696b441b0e505b9e4aa996473d8ffbac

SHA1
5d8f05ef8a22e3973fb4ac609b99d2ed9d86e84a

SHA256
9da4a6efcaa75a47e78e3c016b4400151f3ea16ff628bd99db0f100ca1ba1a17

SHA512
3b67404595409d3b6a604c86234ea86c0475716719f11e1facf913543e6a26c5be251ec6bcf2417661442992a1020156d6d530d189b579f6e60008d509898b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uB5YD85.exe

Filesize
293KB

MD5
696b441b0e505b9e4aa996473d8ffbac

SHA1
5d8f05ef8a22e3973fb4ac609b99d2ed9d86e84a

SHA256
9da4a6efcaa75a47e78e3c016b4400151f3ea16ff628bd99db0f100ca1ba1a17

SHA512
3b67404595409d3b6a604c86234ea86c0475716719f11e1facf913543e6a26c5be251ec6bcf2417661442992a1020156d6d530d189b579f6e60008d509898b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1bu74mP1.exe

Filesize
12KB

MD5
99eb03f34ec41444894ef8278380ec9f

SHA1
3d3aa0f971b29e3b7d04e0669f3efdfb58c33fb0

SHA256
c6044e8b8c2956d20ea07529fbcabb03e28e55d977a59a87952cb2045ef7c73f

SHA512
5551343f5b7cc12b375eca0f43f593afc22ff934ca72cc0e149ca2db3976fb5e03244aee4cce5b49de0ed97f22c73fc0643ab25c8827ca9988a515e96855caa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1bu74mP1.exe

Filesize
12KB

MD5
99eb03f34ec41444894ef8278380ec9f

SHA1
3d3aa0f971b29e3b7d04e0669f3efdfb58c33fb0

SHA256
c6044e8b8c2956d20ea07529fbcabb03e28e55d977a59a87952cb2045ef7c73f

SHA512
5551343f5b7cc12b375eca0f43f593afc22ff934ca72cc0e149ca2db3976fb5e03244aee4cce5b49de0ed97f22c73fc0643ab25c8827ca9988a515e96855caa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ux1387.exe

Filesize
285KB

MD5
4354247bdec59339e3df2866b1dfef44

SHA1
bedfd97e6c36b236e63730f41845c51acd36bdf3

SHA256
3c491c5a1d6bfb29bc4261718f8ced414862e00f36bb3b3c955c14139a283047

SHA512
deb03c8f527fdc0faf40e69047087a5cfff98253c9272d2caf393b74cd233b237f84450f007c6f700223980ff7f02bd20aafd46e9dadf3045d14493acd68cdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ux1387.exe

Filesize
285KB

MD5
4354247bdec59339e3df2866b1dfef44

SHA1
bedfd97e6c36b236e63730f41845c51acd36bdf3

SHA256
3c491c5a1d6bfb29bc4261718f8ced414862e00f36bb3b3c955c14139a283047

SHA512
deb03c8f527fdc0faf40e69047087a5cfff98253c9272d2caf393b74cd233b237f84450f007c6f700223980ff7f02bd20aafd46e9dadf3045d14493acd68cdce

Download Submit
memory/380-31-0x00007FFC15750000-0x00007FFC1613C000-memory.dmp

Filesize
9.9MB

Download
memory/380-29-0x00007FFC15750000-0x00007FFC1613C000-memory.dmp

Filesize
9.9MB

Download
memory/380-28-0x0000000000060000-0x000000000006A000-memory.dmp

Filesize
40KB

Download
memory/1896-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1896-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1896-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1896-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download