healer | a7f68a392242919213f36bbb1ecd1040c77cf2dbc81131a2594b19b32ee96d1d

Analysis

max time kernel
139s
max time network
145s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
03-10-2023 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7f68a392242919213f36bbb1ecd1040c77cf2dbc81131a2594b19b32ee96d1d.exe
Size

1.4MB
MD5

dab8609831dccca44f08305d9da25e78
SHA1

0d94965f0db044e45d75d04016ee938fd3294292
SHA256

a7f68a392242919213f36bbb1ecd1040c77cf2dbc81131a2594b19b32ee96d1d
SHA512

19bbaef5ed5f0cc7a91baab92dde2b7b08732c20aa2401e71540b6707a3e068409eb1197dd86d523e7df68e942bf9611a0fab2a3b61f23bfc090ab2fc0d988d3
SSDEEP

24576:/yUb5MxcqcJHVLBdBRFcn2lL0RTMg6DsU2+vIfdCwSClnqxMv7Nkx/yRQjHrUloM:KE5M2qcTLX5d0RCf2+iwmnZvStZLr4oM

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afcc-33.dat	healer
behavioral1/files/0x000700000001afcc-34.dat	healer
behavioral1/memory/596-35-0x0000000000470000-0x000000000047A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q3336130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q3336130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q3336130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q3336130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q3336130.exe

Executes dropped EXE 6 IoCs

pid	Process
2968	z0721768.exe
2496	z9901957.exe
508	z3613616.exe
5116	z7746267.exe
596	q3336130.exe
1692	r5238494.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q3336130.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a7f68a392242919213f36bbb1ecd1040c77cf2dbc81131a2594b19b32ee96d1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0721768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9901957.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3613616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z7746267.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 4872	1692	r5238494.exe	79

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2000	1692	WerFault.exe	76
4092	4872	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
596	q3336130.exe
596	q3336130.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	596	q3336130.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 2968	4576	a7f68a392242919213f36bbb1ecd1040c77cf2dbc81131a2594b19b32ee96d1d.exe	71
PID 4576 wrote to memory of 2968	4576	a7f68a392242919213f36bbb1ecd1040c77cf2dbc81131a2594b19b32ee96d1d.exe	71
PID 4576 wrote to memory of 2968	4576	a7f68a392242919213f36bbb1ecd1040c77cf2dbc81131a2594b19b32ee96d1d.exe	71
PID 2968 wrote to memory of 2496	2968	z0721768.exe	72
PID 2968 wrote to memory of 2496	2968	z0721768.exe	72
PID 2968 wrote to memory of 2496	2968	z0721768.exe	72
PID 2496 wrote to memory of 508	2496	z9901957.exe	73
PID 2496 wrote to memory of 508	2496	z9901957.exe	73
PID 2496 wrote to memory of 508	2496	z9901957.exe	73
PID 508 wrote to memory of 5116	508	z3613616.exe	74
PID 508 wrote to memory of 5116	508	z3613616.exe	74
PID 508 wrote to memory of 5116	508	z3613616.exe	74
PID 5116 wrote to memory of 596	5116	z7746267.exe	75
PID 5116 wrote to memory of 596	5116	z7746267.exe	75
PID 5116 wrote to memory of 1692	5116	z7746267.exe	76
PID 5116 wrote to memory of 1692	5116	z7746267.exe	76
PID 5116 wrote to memory of 1692	5116	z7746267.exe	76
PID 1692 wrote to memory of 1296	1692	r5238494.exe	78
PID 1692 wrote to memory of 1296	1692	r5238494.exe	78
PID 1692 wrote to memory of 1296	1692	r5238494.exe	78
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79
PID 1692 wrote to memory of 4872	1692	r5238494.exe	79

C:\Users\Admin\AppData\Local\Temp\a7f68a392242919213f36bbb1ecd1040c77cf2dbc81131a2594b19b32ee96d1d.exe
"C:\Users\Admin\AppData\Local\Temp\a7f68a392242919213f36bbb1ecd1040c77cf2dbc81131a2594b19b32ee96d1d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0721768.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0721768.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9901957.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9901957.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3613616.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3613616.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:508
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7746267.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7746267.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3336130.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3336130.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5238494.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5238494.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 568
        8⤵
        Program crash
        
        PID:4092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 576
        7⤵
        Program crash
        
        PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0721768.exe

Filesize
1.3MB

MD5
1c02276cde838d05e5a4fb98a19d6681

SHA1
d057c70ecde5d51d4f115d76a9d88bc992ea3120

SHA256
201270c39470876d5956de8119e6422cf4886265eda3387666b3b18c78a52e89

SHA512
fdaf2013a46681c24f2b091d9334ccfeb36f3b7713e1e21e2470f17a5dbf416aaf1f9e2bc9fe2c4f95cc188460cd7ba8bef620721df15622ce20bbb5ccd62003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0721768.exe

Filesize
1.3MB

MD5
1c02276cde838d05e5a4fb98a19d6681

SHA1
d057c70ecde5d51d4f115d76a9d88bc992ea3120

SHA256
201270c39470876d5956de8119e6422cf4886265eda3387666b3b18c78a52e89

SHA512
fdaf2013a46681c24f2b091d9334ccfeb36f3b7713e1e21e2470f17a5dbf416aaf1f9e2bc9fe2c4f95cc188460cd7ba8bef620721df15622ce20bbb5ccd62003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9901957.exe

Filesize
1.1MB

MD5
7971b452ff2ff524bf2db7fdb70633f7

SHA1
2a6f2492d31bc1d82e9365fee26307090d403288

SHA256
756775062be8754c35e4ededd028f25cf37b0fbe0d9cd2e23798c6353aaf5e4c

SHA512
9d61258d63a9f5daac2fb692f51a6f1ffa8dd8c6945eebc9d892d2d41a6de0dc63d7c2e8794ceb1cb0954cd076ce2340c32bb8ae027928ac9c7315c6c27989f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9901957.exe

Filesize
1.1MB

MD5
7971b452ff2ff524bf2db7fdb70633f7

SHA1
2a6f2492d31bc1d82e9365fee26307090d403288

SHA256
756775062be8754c35e4ededd028f25cf37b0fbe0d9cd2e23798c6353aaf5e4c

SHA512
9d61258d63a9f5daac2fb692f51a6f1ffa8dd8c6945eebc9d892d2d41a6de0dc63d7c2e8794ceb1cb0954cd076ce2340c32bb8ae027928ac9c7315c6c27989f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3613616.exe

Filesize
925KB

MD5
aaa8f2e3d5c48dede026736c58a42696

SHA1
a009e1155dfbab0d8e2f58d9bea726fb8f53ca00

SHA256
884171a20434d35d90d4475c352715283ecef4e7ede3f9039c89cbfda58f1022

SHA512
9c71473415191f94209f3cc771400d362f1d9450c1290cc8031af39e9b2ea5aecba26719035e83a8d772884b769ca188c2ed3f9508cd25e60764078f6fe9f3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3613616.exe

Filesize
925KB

MD5
aaa8f2e3d5c48dede026736c58a42696

SHA1
a009e1155dfbab0d8e2f58d9bea726fb8f53ca00

SHA256
884171a20434d35d90d4475c352715283ecef4e7ede3f9039c89cbfda58f1022

SHA512
9c71473415191f94209f3cc771400d362f1d9450c1290cc8031af39e9b2ea5aecba26719035e83a8d772884b769ca188c2ed3f9508cd25e60764078f6fe9f3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7746267.exe

Filesize
489KB

MD5
bc8b42b3a27d374409c235a032efadaa

SHA1
e34207bcaa1b0136f815310e0e835040163eae4c

SHA256
591ab5a2f86402c9ec0182cc1d2bf68ec30a06905112d845a9d51a437758bb76

SHA512
56e5e9d1dd8fdf52d708c731b61b7e0144e7d8ec7f4c0bf67f1dc62a79ffd39664001f408f7992889fd48c0c662dd791a29fc7177623e99ef3ba20cc4dbd70d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7746267.exe

Filesize
489KB

MD5
bc8b42b3a27d374409c235a032efadaa

SHA1
e34207bcaa1b0136f815310e0e835040163eae4c

SHA256
591ab5a2f86402c9ec0182cc1d2bf68ec30a06905112d845a9d51a437758bb76

SHA512
56e5e9d1dd8fdf52d708c731b61b7e0144e7d8ec7f4c0bf67f1dc62a79ffd39664001f408f7992889fd48c0c662dd791a29fc7177623e99ef3ba20cc4dbd70d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3336130.exe

Filesize
19KB

MD5
f89204248153b2fc6eeb53f3975ea8b9

SHA1
922a3cc72bd85d04c7169a1032e67b32cdf8c810

SHA256
f97b63600242a0125eee23cd8e754f740430ea04dce61e620bedf8f3394f95ce

SHA512
316734b75743376837065fa953d177c03bcc0a7defcfbc5cb70c4af5c2aede346ba1f53ca78d8e461c6091ba43a544d321febfbc0b1e5e3f6926b17c33b8838b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3336130.exe

Filesize
19KB

MD5
f89204248153b2fc6eeb53f3975ea8b9

SHA1
922a3cc72bd85d04c7169a1032e67b32cdf8c810

SHA256
f97b63600242a0125eee23cd8e754f740430ea04dce61e620bedf8f3394f95ce

SHA512
316734b75743376837065fa953d177c03bcc0a7defcfbc5cb70c4af5c2aede346ba1f53ca78d8e461c6091ba43a544d321febfbc0b1e5e3f6926b17c33b8838b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5238494.exe

Filesize
1.4MB

MD5
5870444f1af298cf3ce9b3edd08fcaa0

SHA1
ea6c3aae666f7a4270617f449018e5b6bd1a906f

SHA256
b0a4e2a52ba0f5ee0a7abc6e580f7a8bb3d984891b6da0eb72418cbb5fa1ea9d

SHA512
7d7c28f6362f9a9511a56dbdb1213b1f56d742db31d43548ad06f3061bc6266290e780838bfd74dfecdb3fb7089a8325191298363033297d6e1c9ef7c8bc101b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5238494.exe

Filesize
1.4MB

MD5
5870444f1af298cf3ce9b3edd08fcaa0

SHA1
ea6c3aae666f7a4270617f449018e5b6bd1a906f

SHA256
b0a4e2a52ba0f5ee0a7abc6e580f7a8bb3d984891b6da0eb72418cbb5fa1ea9d

SHA512
7d7c28f6362f9a9511a56dbdb1213b1f56d742db31d43548ad06f3061bc6266290e780838bfd74dfecdb3fb7089a8325191298363033297d6e1c9ef7c8bc101b

Download Submit
memory/596-35-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/596-36-0x00007FFD54960000-0x00007FFD5534C000-memory.dmp

Filesize
9.9MB

Download
memory/596-38-0x00007FFD54960000-0x00007FFD5534C000-memory.dmp

Filesize
9.9MB

Download
memory/4872-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4872-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4872-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4872-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download