healer | d77c61e18c77518e629e4a210a6edece19607897dee628703521206c6a2f9a44

Analysis

max time kernel
27s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e41855bf1659ed54bf2e2617b5ee5eadbe2ce2e0640bd22567816a566629c6b2.exe
Size

1.0MB
MD5

48fe3cc12c138ea6d1f139f618b7df47
SHA1

0c228884a2a9abd5199e21d55bcb86af3d18d4f4
SHA256

e41855bf1659ed54bf2e2617b5ee5eadbe2ce2e0640bd22567816a566629c6b2
SHA512

e165953d4e8c0fbb6121c5c8ee7a00e5193bce15a0f5a7b1c4bc11eda7acaa305d990da589e04271ccd8a7376620bdce50253271c5adc7b5e190101f3e6255ef
SSDEEP

24576:3y5TqjLY8S05OCxFxjYul2KLwytrZNRdSAh:ClGOCx4ulLfrwA

Score

10^/10

healer dropper persistence

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/3956-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Executes dropped EXE 5 IoCs

pid	Process
3016	z5434841.exe
2772	z0918861.exe
3420	z0690223.exe
2604	z2940804.exe
4708	q0434908.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e41855bf1659ed54bf2e2617b5ee5eadbe2ce2e0640bd22567816a566629c6b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5434841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0918861.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0690223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2940804.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4708 set thread context of 3956	4708	q0434908.exe	92

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3016	2456	e41855bf1659ed54bf2e2617b5ee5eadbe2ce2e0640bd22567816a566629c6b2.exe	86
PID 2456 wrote to memory of 3016	2456	e41855bf1659ed54bf2e2617b5ee5eadbe2ce2e0640bd22567816a566629c6b2.exe	86
PID 2456 wrote to memory of 3016	2456	e41855bf1659ed54bf2e2617b5ee5eadbe2ce2e0640bd22567816a566629c6b2.exe	86
PID 3016 wrote to memory of 2772	3016	z5434841.exe	87
PID 3016 wrote to memory of 2772	3016	z5434841.exe	87
PID 3016 wrote to memory of 2772	3016	z5434841.exe	87
PID 2772 wrote to memory of 3420	2772	z0918861.exe	88
PID 2772 wrote to memory of 3420	2772	z0918861.exe	88
PID 2772 wrote to memory of 3420	2772	z0918861.exe	88
PID 3420 wrote to memory of 2604	3420	z0690223.exe	89
PID 3420 wrote to memory of 2604	3420	z0690223.exe	89
PID 3420 wrote to memory of 2604	3420	z0690223.exe	89
PID 2604 wrote to memory of 4708	2604	z2940804.exe	90
PID 2604 wrote to memory of 4708	2604	z2940804.exe	90
PID 2604 wrote to memory of 4708	2604	z2940804.exe	90
PID 4708 wrote to memory of 3956	4708	q0434908.exe	92
PID 4708 wrote to memory of 3956	4708	q0434908.exe	92
PID 4708 wrote to memory of 3956	4708	q0434908.exe	92
PID 4708 wrote to memory of 3956	4708	q0434908.exe	92
PID 4708 wrote to memory of 3956	4708	q0434908.exe	92
PID 4708 wrote to memory of 3956	4708	q0434908.exe	92
PID 4708 wrote to memory of 3956	4708	q0434908.exe	92
PID 4708 wrote to memory of 3956	4708	q0434908.exe	92

C:\Users\Admin\AppData\Local\Temp\e41855bf1659ed54bf2e2617b5ee5eadbe2ce2e0640bd22567816a566629c6b2.exe
"C:\Users\Admin\AppData\Local\Temp\e41855bf1659ed54bf2e2617b5ee5eadbe2ce2e0640bd22567816a566629c6b2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5434841.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5434841.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0918861.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0918861.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0690223.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0690223.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2940804.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2940804.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0434908.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0434908.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5434841.exe

Filesize
966KB

MD5
b8cef2725b6bc7ecb8051158d1a0d2e1

SHA1
6b1f7a6e98d423bd23a1925db725f98587ee007d

SHA256
b5f6481fd63f02fe4a3cacbdf137e5c2415e85b208b8e1a74ef21e2d2e5293d8

SHA512
db0e49e03e31a728ed171c608afa38c1b8a2804b6d4de32da952149c1dbe8ef27b325061ea1b269c934d1bb6469cf005c98ece5a3fdd2ffe3cdb61f570d29bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5434841.exe

Filesize
966KB

MD5
b8cef2725b6bc7ecb8051158d1a0d2e1

SHA1
6b1f7a6e98d423bd23a1925db725f98587ee007d

SHA256
b5f6481fd63f02fe4a3cacbdf137e5c2415e85b208b8e1a74ef21e2d2e5293d8

SHA512
db0e49e03e31a728ed171c608afa38c1b8a2804b6d4de32da952149c1dbe8ef27b325061ea1b269c934d1bb6469cf005c98ece5a3fdd2ffe3cdb61f570d29bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0918861.exe

Filesize
785KB

MD5
ac72c77173aebae2d1d72628599593e4

SHA1
a548c365f7fc2dc90969ee27de03a3b08d98eaa1

SHA256
c67a760d2b002dc4a89f1bab501b40b67b474d240419785483a07bef7e9e43ca

SHA512
1fe3134e43e6f601b3e58c5ab436f641dbc2fae14600e5494618b829c5fd9932be841805a7eacba304a2f1353f5c004ece8db63367b1a831f863b9dad5866a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0918861.exe

Filesize
785KB

MD5
ac72c77173aebae2d1d72628599593e4

SHA1
a548c365f7fc2dc90969ee27de03a3b08d98eaa1

SHA256
c67a760d2b002dc4a89f1bab501b40b67b474d240419785483a07bef7e9e43ca

SHA512
1fe3134e43e6f601b3e58c5ab436f641dbc2fae14600e5494618b829c5fd9932be841805a7eacba304a2f1353f5c004ece8db63367b1a831f863b9dad5866a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0690223.exe

Filesize
602KB

MD5
d851f4a24a0cda6070e73a98955b13e2

SHA1
9df834a55b95e0265ecc6eeb0149921ff3246cec

SHA256
205310c5733fe0e1109d47487559b884a8e24b15822ad10bd7acaa428d962b6c

SHA512
0651f6f98c296cb5f442d6644b56558ded6ab0d7f1f4928fdcd9127ec9cf7cf8fc893bc08934fde3a84542f993b96afa0c4e7c5053858d3c930800e43c928a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0690223.exe

Filesize
602KB

MD5
d851f4a24a0cda6070e73a98955b13e2

SHA1
9df834a55b95e0265ecc6eeb0149921ff3246cec

SHA256
205310c5733fe0e1109d47487559b884a8e24b15822ad10bd7acaa428d962b6c

SHA512
0651f6f98c296cb5f442d6644b56558ded6ab0d7f1f4928fdcd9127ec9cf7cf8fc893bc08934fde3a84542f993b96afa0c4e7c5053858d3c930800e43c928a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2940804.exe

Filesize
341KB

MD5
621cf12bef3baba796301b66eddcc6ce

SHA1
0e4390fb12012ded6e22f52b9bb79611dfab3c31

SHA256
42efc7cded36b58feed9f0acc8166065c518fb8c99f97dcbb98b6cc608151a9f

SHA512
6157ab9975c7411042620e49b294d93e9d28d45ace930862de3c68e2eb7a7ae657123e300307f1a117f9a470e8a447f2e1bde1bb8d279fb5159f972fff83b8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2940804.exe

Filesize
341KB

MD5
621cf12bef3baba796301b66eddcc6ce

SHA1
0e4390fb12012ded6e22f52b9bb79611dfab3c31

SHA256
42efc7cded36b58feed9f0acc8166065c518fb8c99f97dcbb98b6cc608151a9f

SHA512
6157ab9975c7411042620e49b294d93e9d28d45ace930862de3c68e2eb7a7ae657123e300307f1a117f9a470e8a447f2e1bde1bb8d279fb5159f972fff83b8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0434908.exe

Filesize
221KB

MD5
f68a01c85c6c1bd2878bde4c08d6601a

SHA1
73c61156cb905b8ff094782313efcc44ec669655

SHA256
923f486d0b4c7b761cd8158a72dd6e74b1fc5a4fbcfb28959c23bf3858109ec2

SHA512
73605d72eec2557388b4744c8940afa24bc36a88db29318259645771753243ec7600f6fcf1897ac2a24c3d7dbd0503d38880428b6b82455ae42a865112a0f609

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0434908.exe

Filesize
221KB

MD5
f68a01c85c6c1bd2878bde4c08d6601a

SHA1
73c61156cb905b8ff094782313efcc44ec669655

SHA256
923f486d0b4c7b761cd8158a72dd6e74b1fc5a4fbcfb28959c23bf3858109ec2

SHA512
73605d72eec2557388b4744c8940afa24bc36a88db29318259645771753243ec7600f6fcf1897ac2a24c3d7dbd0503d38880428b6b82455ae42a865112a0f609

Download Submit
memory/3956-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads