healer | 209477710b17f3ea68ce5643f03553e68c3cc8891b2a4865e07c0f8552c95a13

Analysis

max time kernel
194s
max time network
249s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

209477710b17f3ea68ce5643f03553e68c3cc8891b2a4865e07c0f8552c95a13.exe
Size

1.2MB
MD5

344880e215de5d5e250d065df1239a57
SHA1

04c096b71804d0f19c0f157ad18c50c497e21e15
SHA256

209477710b17f3ea68ce5643f03553e68c3cc8891b2a4865e07c0f8552c95a13
SHA512

8324e265f2e29a06568cd93922b44f82c59e4ac9d1280fb0a17607598f3017d6bd354f1dd10a1eff7fb62f18726d961f2afed3ad57c2b0489e85cb9f84e80026
SSDEEP

24576:myi3+K2jmmxl8GYqrCTLDekQZbmlNAg6FWog7IZbNUGCq:1i3r2jmCl8sCfLQcDEWoSmiG

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/832-42-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Executes dropped EXE 7 IoCs

pid	Process
4372	v8979022.exe
2980	v0514753.exe
2440	v3771314.exe
4308	v7809937.exe
5072	v8094895.exe
2972	a2594814.exe
2604	b8217917.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	v8094895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	209477710b17f3ea68ce5643f03553e68c3cc8891b2a4865e07c0f8552c95a13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8979022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0514753.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3771314.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7809937.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 832	2972	a2594814.exe	96
PID 2604 set thread context of 2204	2604	b8217917.exe	103

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3956	2972	WerFault.exe	94
2672	2604	WerFault.exe	102
2104	2204	WerFault.exe	103

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
832	AppLaunch.exe
832	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 4372	1888	209477710b17f3ea68ce5643f03553e68c3cc8891b2a4865e07c0f8552c95a13.exe	89
PID 1888 wrote to memory of 4372	1888	209477710b17f3ea68ce5643f03553e68c3cc8891b2a4865e07c0f8552c95a13.exe	89
PID 1888 wrote to memory of 4372	1888	209477710b17f3ea68ce5643f03553e68c3cc8891b2a4865e07c0f8552c95a13.exe	89
PID 4372 wrote to memory of 2980	4372	v8979022.exe	90
PID 4372 wrote to memory of 2980	4372	v8979022.exe	90
PID 4372 wrote to memory of 2980	4372	v8979022.exe	90
PID 2980 wrote to memory of 2440	2980	v0514753.exe	91
PID 2980 wrote to memory of 2440	2980	v0514753.exe	91
PID 2980 wrote to memory of 2440	2980	v0514753.exe	91
PID 2440 wrote to memory of 4308	2440	v3771314.exe	92
PID 2440 wrote to memory of 4308	2440	v3771314.exe	92
PID 2440 wrote to memory of 4308	2440	v3771314.exe	92
PID 4308 wrote to memory of 5072	4308	v7809937.exe	93
PID 4308 wrote to memory of 5072	4308	v7809937.exe	93
PID 4308 wrote to memory of 5072	4308	v7809937.exe	93
PID 5072 wrote to memory of 2972	5072	v8094895.exe	94
PID 5072 wrote to memory of 2972	5072	v8094895.exe	94
PID 5072 wrote to memory of 2972	5072	v8094895.exe	94
PID 2972 wrote to memory of 832	2972	a2594814.exe	96
PID 2972 wrote to memory of 832	2972	a2594814.exe	96
PID 2972 wrote to memory of 832	2972	a2594814.exe	96
PID 2972 wrote to memory of 832	2972	a2594814.exe	96
PID 2972 wrote to memory of 832	2972	a2594814.exe	96
PID 2972 wrote to memory of 832	2972	a2594814.exe	96
PID 2972 wrote to memory of 832	2972	a2594814.exe	96
PID 2972 wrote to memory of 832	2972	a2594814.exe	96
PID 5072 wrote to memory of 2604	5072	v8094895.exe	102
PID 5072 wrote to memory of 2604	5072	v8094895.exe	102
PID 5072 wrote to memory of 2604	5072	v8094895.exe	102
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103
PID 2604 wrote to memory of 2204	2604	b8217917.exe	103

C:\Users\Admin\AppData\Local\Temp\209477710b17f3ea68ce5643f03553e68c3cc8891b2a4865e07c0f8552c95a13.exe
"C:\Users\Admin\AppData\Local\Temp\209477710b17f3ea68ce5643f03553e68c3cc8891b2a4865e07c0f8552c95a13.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8979022.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8979022.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0514753.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0514753.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3771314.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3771314.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7809937.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7809937.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4308
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v8094895.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v8094895.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a2594814.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a2594814.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 552
        8⤵
        Program crash
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8217917.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8217917.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 540
        9⤵
        Program crash
        
        PID:2104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 552
        8⤵
        Program crash
        
        PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2972 -ip 2972
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2604 -ip 2604
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2204 -ip 2204
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8979022.exe

Filesize
1.1MB

MD5
8ce5fc87fdbaa4a3294b1c92b7b9ceb7

SHA1
95a3d7caa72077bfb34dafff9428116d91e7bfa9

SHA256
f5017c1fff95e5d410280711db60a9db421ad52f52f7d701bbdbbb68a19c99e0

SHA512
d25abbe9f32f6a5119a1ff1a9dfa9c7fe608d3bdb5b62691355698ab30bb5df01b16051ad36404d7028503e4ca1a373953950ecdcd6d11a899070500e6c54aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8979022.exe

Filesize
1.1MB

MD5
8ce5fc87fdbaa4a3294b1c92b7b9ceb7

SHA1
95a3d7caa72077bfb34dafff9428116d91e7bfa9

SHA256
f5017c1fff95e5d410280711db60a9db421ad52f52f7d701bbdbbb68a19c99e0

SHA512
d25abbe9f32f6a5119a1ff1a9dfa9c7fe608d3bdb5b62691355698ab30bb5df01b16051ad36404d7028503e4ca1a373953950ecdcd6d11a899070500e6c54aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0514753.exe

Filesize
938KB

MD5
327a8bb1f1546f12144ee641c335fa2f

SHA1
c9205e739d42b8f167029c33dde719668a405ad1

SHA256
fcb275d48f79bc28eaafb0c22fd073ad2fccada2a944aeeffd5a8a40f4e0c786

SHA512
f3b744d48773ca14d1cab0c441338898212298dcd9abe731fe7e46be63e829f84857371cc9076842c7a597567bc5baf7b0bba804cacbb04e9b74085ac9ec40f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0514753.exe

Filesize
938KB

MD5
327a8bb1f1546f12144ee641c335fa2f

SHA1
c9205e739d42b8f167029c33dde719668a405ad1

SHA256
fcb275d48f79bc28eaafb0c22fd073ad2fccada2a944aeeffd5a8a40f4e0c786

SHA512
f3b744d48773ca14d1cab0c441338898212298dcd9abe731fe7e46be63e829f84857371cc9076842c7a597567bc5baf7b0bba804cacbb04e9b74085ac9ec40f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3771314.exe

Filesize
781KB

MD5
92d9ea1eca6ab7e7b25df42314c3beac

SHA1
81686b775e82dbf02411c18d5bf0438229f52e4e

SHA256
0403d314a16c879214f05438ea87a7ac138d983a850bb96b8118ccdda99f1dd8

SHA512
01b2976cea9d239a07fa880c864921117ca7b26c8c6f7d3f302db25f2ed6d20054da91ebf732cf2b7cb6aae64e5a3ccb76144a9ffd7b07c289a53b878830d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3771314.exe

Filesize
781KB

MD5
92d9ea1eca6ab7e7b25df42314c3beac

SHA1
81686b775e82dbf02411c18d5bf0438229f52e4e

SHA256
0403d314a16c879214f05438ea87a7ac138d983a850bb96b8118ccdda99f1dd8

SHA512
01b2976cea9d239a07fa880c864921117ca7b26c8c6f7d3f302db25f2ed6d20054da91ebf732cf2b7cb6aae64e5a3ccb76144a9ffd7b07c289a53b878830d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7809937.exe

Filesize
604KB

MD5
69d30405b4be7ecbb97d8921bb15d1a6

SHA1
e4a3ab428ac6064a29489d155da42a61ef10e28c

SHA256
8bd04c2294e6fa457bae78fbea006602e5322febb6e55b447ab64ca5a7f3175d

SHA512
a8edd9a77e2e6647d5d6cbb24c2017a0c37fef51437261f8dd159ec4626c12f4eddec88d5ccb4c29cef270b48162631e9d833185809fb37287c9f9d682459c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7809937.exe

Filesize
604KB

MD5
69d30405b4be7ecbb97d8921bb15d1a6

SHA1
e4a3ab428ac6064a29489d155da42a61ef10e28c

SHA256
8bd04c2294e6fa457bae78fbea006602e5322febb6e55b447ab64ca5a7f3175d

SHA512
a8edd9a77e2e6647d5d6cbb24c2017a0c37fef51437261f8dd159ec4626c12f4eddec88d5ccb4c29cef270b48162631e9d833185809fb37287c9f9d682459c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v8094895.exe

Filesize
344KB

MD5
2c00f28a1422c4cb42847bbf7923201d

SHA1
f48e4d1cbcdcfbf2c8c83bd059acf514f73dc4ec

SHA256
f81513bb652d7b8d66e429af5c4c72c0b038d04160b5508f517eae193c516ce6

SHA512
378ab203d6edf7b555f17bc47575efc2bbe285fd45f5f38e4f9034b4be1a92b3e91ec268b3063585794fdabfb59277b07c380dcd58dac3eef47e1b19e3317891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v8094895.exe

Filesize
344KB

MD5
2c00f28a1422c4cb42847bbf7923201d

SHA1
f48e4d1cbcdcfbf2c8c83bd059acf514f73dc4ec

SHA256
f81513bb652d7b8d66e429af5c4c72c0b038d04160b5508f517eae193c516ce6

SHA512
378ab203d6edf7b555f17bc47575efc2bbe285fd45f5f38e4f9034b4be1a92b3e91ec268b3063585794fdabfb59277b07c380dcd58dac3eef47e1b19e3317891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a2594814.exe

Filesize
220KB

MD5
4c620e3daf14c86fa7ee40393faaffa6

SHA1
2b84f5aa55c63adfc907423ae24186235a4b0a7b

SHA256
f421f0bc63094f284dd9a736d5edf418a2e6a4c9b2533f32d940c638f397ba99

SHA512
fae90d72cc6aec17a407c9d7e5ded020e168cf0302db6896a8086f3bebd7a00b9b31bcf9cd6c700ba5eff073e952741d85fde679ba3aa6aabc2a18b90262a4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\a2594814.exe

Filesize
220KB

MD5
4c620e3daf14c86fa7ee40393faaffa6

SHA1
2b84f5aa55c63adfc907423ae24186235a4b0a7b

SHA256
f421f0bc63094f284dd9a736d5edf418a2e6a4c9b2533f32d940c638f397ba99

SHA512
fae90d72cc6aec17a407c9d7e5ded020e168cf0302db6896a8086f3bebd7a00b9b31bcf9cd6c700ba5eff073e952741d85fde679ba3aa6aabc2a18b90262a4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8217917.exe

Filesize
364KB

MD5
17982d1db13977357bc89ebc1f4b97fe

SHA1
ec4bd019c2295b57b46d67bfb71a38a022bdf0c0

SHA256
3a26c83e86d8f748803499a1ab00a37a197654e84fea796774610c96da0ce10c

SHA512
5061d9080fe5147e5834a5642f2a6e60960460fb20e822949a56d05ea918b942958e6bf4d94e55d7204aaf2a69352e1106ad0bf462a79bab0a1eef65848c2a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\b8217917.exe

Filesize
364KB

MD5
17982d1db13977357bc89ebc1f4b97fe

SHA1
ec4bd019c2295b57b46d67bfb71a38a022bdf0c0

SHA256
3a26c83e86d8f748803499a1ab00a37a197654e84fea796774610c96da0ce10c

SHA512
5061d9080fe5147e5834a5642f2a6e60960460fb20e822949a56d05ea918b942958e6bf4d94e55d7204aaf2a69352e1106ad0bf462a79bab0a1eef65848c2a10

Download Submit
memory/832-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/832-43-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/832-44-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/832-46-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2204-50-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2204-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2204-52-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2204-54-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download