healer | 2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c

Analysis

max time kernel
38s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6993ec4efe8c5c7cb57cb14ad2d228b.exe
Size

1.1MB
MD5

b6993ec4efe8c5c7cb57cb14ad2d228b
SHA1

8ca71391f2dbc6cb03927f66c9fc67faea4d6166
SHA256

2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c
SHA512

82830e3cc9167125d3c59a10bb44af340f8bb0ee20a42e84092920f64164c2790b54fa60661b8c5c44dd74d0b3c48a8f02fedc97be164e16ea0bbf241c74b23b
SSDEEP

24576:tyouCM/s7ZlZW63sUiGEKn+bb4GN8PXwoaVjpLjM4z3U6Um:IpCC68Up+pRo6jMsU6U

Score

10^/10

healer dropper persistence

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1568-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Executes dropped EXE 5 IoCs

pid	Process
4964	z9609135.exe
2208	z7246784.exe
3452	z1462459.exe
3800	z9564647.exe
2344	q3729767.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6993ec4efe8c5c7cb57cb14ad2d228b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9609135.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7246784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1462459.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9564647.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 1568	2344	q3729767.exe	94

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4964	3512	b6993ec4efe8c5c7cb57cb14ad2d228b.exe	86
PID 3512 wrote to memory of 4964	3512	b6993ec4efe8c5c7cb57cb14ad2d228b.exe	86
PID 3512 wrote to memory of 4964	3512	b6993ec4efe8c5c7cb57cb14ad2d228b.exe	86
PID 4964 wrote to memory of 2208	4964	z9609135.exe	87
PID 4964 wrote to memory of 2208	4964	z9609135.exe	87
PID 4964 wrote to memory of 2208	4964	z9609135.exe	87
PID 2208 wrote to memory of 3452	2208	z7246784.exe	89
PID 2208 wrote to memory of 3452	2208	z7246784.exe	89
PID 2208 wrote to memory of 3452	2208	z7246784.exe	89
PID 3452 wrote to memory of 3800	3452	z1462459.exe	90
PID 3452 wrote to memory of 3800	3452	z1462459.exe	90
PID 3452 wrote to memory of 3800	3452	z1462459.exe	90
PID 3800 wrote to memory of 2344	3800	z9564647.exe	91
PID 3800 wrote to memory of 2344	3800	z9564647.exe	91
PID 3800 wrote to memory of 2344	3800	z9564647.exe	91
PID 2344 wrote to memory of 1568	2344	q3729767.exe	94
PID 2344 wrote to memory of 1568	2344	q3729767.exe	94
PID 2344 wrote to memory of 1568	2344	q3729767.exe	94
PID 2344 wrote to memory of 1568	2344	q3729767.exe	94
PID 2344 wrote to memory of 1568	2344	q3729767.exe	94
PID 2344 wrote to memory of 1568	2344	q3729767.exe	94
PID 2344 wrote to memory of 1568	2344	q3729767.exe	94
PID 2344 wrote to memory of 1568	2344	q3729767.exe	94

C:\Users\Admin\AppData\Local\Temp\b6993ec4efe8c5c7cb57cb14ad2d228b.exe
"C:\Users\Admin\AppData\Local\Temp\b6993ec4efe8c5c7cb57cb14ad2d228b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3800
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2344 -ip 2344
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe

Filesize
981KB

MD5
3d2c446c9ae466b22727740e698f9f01

SHA1
cb1ff4695ff558ada26d24737e67d54b599b6f64

SHA256
d38caf8d6d8da5ac132c633d60ba933b0945f56ed8932939132c1003b786cdea

SHA512
908f12ba82229aa184d992bd19d16664bb2719f7a5c29ea88dad60be44b7d7bee166f4bc03b458b43e60f403aececcb3ae1c7c9b5aa8bf2067a72c0e339144f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe

Filesize
981KB

MD5
3d2c446c9ae466b22727740e698f9f01

SHA1
cb1ff4695ff558ada26d24737e67d54b599b6f64

SHA256
d38caf8d6d8da5ac132c633d60ba933b0945f56ed8932939132c1003b786cdea

SHA512
908f12ba82229aa184d992bd19d16664bb2719f7a5c29ea88dad60be44b7d7bee166f4bc03b458b43e60f403aececcb3ae1c7c9b5aa8bf2067a72c0e339144f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe

Filesize
799KB

MD5
ed4128a7b0b824e1f8d0212a6ea27d43

SHA1
d1a1010682bf8d1be13efdd57adad3d80425cddd

SHA256
63902c0e786d2266100a13f5778ec1c53161333b843d024db1e5f82df133f7e3

SHA512
43228d8924572a1cf3f5134b1147dcbd1ac3ec9dca76476583bad65818023f32bdf862efbf73df8681f57102e8b202d2d566ee0469608923ebde99b5e2c6fee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe

Filesize
799KB

MD5
ed4128a7b0b824e1f8d0212a6ea27d43

SHA1
d1a1010682bf8d1be13efdd57adad3d80425cddd

SHA256
63902c0e786d2266100a13f5778ec1c53161333b843d024db1e5f82df133f7e3

SHA512
43228d8924572a1cf3f5134b1147dcbd1ac3ec9dca76476583bad65818023f32bdf862efbf73df8681f57102e8b202d2d566ee0469608923ebde99b5e2c6fee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe

Filesize
616KB

MD5
165084f946f2567081ee5853613b0392

SHA1
26cda3b1137181ec15e65e66ae0aae08af168af9

SHA256
a736a634a6682aee4d408becd9757b6ae98c73bdb6a5516fae011dbf26a330f5

SHA512
2b2ea1de81a52771a794042e7c0ef7891435c78876e0b3b8e32bea7c443c7a0abda8c4aeb7beeac0daa22cb61c724d613ac74a63935637e3a8059ebe4d859f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe

Filesize
616KB

MD5
165084f946f2567081ee5853613b0392

SHA1
26cda3b1137181ec15e65e66ae0aae08af168af9

SHA256
a736a634a6682aee4d408becd9757b6ae98c73bdb6a5516fae011dbf26a330f5

SHA512
2b2ea1de81a52771a794042e7c0ef7891435c78876e0b3b8e32bea7c443c7a0abda8c4aeb7beeac0daa22cb61c724d613ac74a63935637e3a8059ebe4d859f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe

Filesize
346KB

MD5
34d5bc93cdd736157324ef5e05f552b9

SHA1
181c21206817fdcf3e6c1ef87a388fb228885f77

SHA256
32019428d6015fae23ba18a91f83442ab67dcbf0d2b3832e8c7de84557e1044b

SHA512
c69d30f2fe45eeb8657e43eb525168e7b980eeb584abbf53d031dd07c0224bc5795269611874b891320850e33da84dff246c23300c4c48931eeb07725a49ffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe

Filesize
346KB

MD5
34d5bc93cdd736157324ef5e05f552b9

SHA1
181c21206817fdcf3e6c1ef87a388fb228885f77

SHA256
32019428d6015fae23ba18a91f83442ab67dcbf0d2b3832e8c7de84557e1044b

SHA512
c69d30f2fe45eeb8657e43eb525168e7b980eeb584abbf53d031dd07c0224bc5795269611874b891320850e33da84dff246c23300c4c48931eeb07725a49ffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe

Filesize
227KB

MD5
de78addc1e228ffbb8f8e08cb320baa6

SHA1
7cd6c24a3de9165225951a8107aaaca05f58e95d

SHA256
3498aef634918e63a7ceda3d5a314d021a2ddadbfa935ebfd3729f91f6438752

SHA512
39b58a283bcc6b2d2e51aa7f95d62990a3e82c36686a5d84f970bc3c2a612d5bf6ca4076d57e73316340322d5d223b9529cd58e25b3fed8ecb45e6d6d39598d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe

Filesize
227KB

MD5
de78addc1e228ffbb8f8e08cb320baa6

SHA1
7cd6c24a3de9165225951a8107aaaca05f58e95d

SHA256
3498aef634918e63a7ceda3d5a314d021a2ddadbfa935ebfd3729f91f6438752

SHA512
39b58a283bcc6b2d2e51aa7f95d62990a3e82c36686a5d84f970bc3c2a612d5bf6ca4076d57e73316340322d5d223b9529cd58e25b3fed8ecb45e6d6d39598d8

Download Submit
memory/1568-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads