healer | 4f69b5d1cff3192bd76f7c54861882346291f2a1a80d2d04ab3aae93e938d4d7

Analysis

max time kernel
232s
max time network
244s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f69b5d1cff3192bd76f7c54861882346291f2a1a80d2d04ab3aae93e938d4d7.exe
Size

1.0MB
MD5

572755e3e78b1c046ba45c9c4bef6b1d
SHA1

ac40f31a428da7c2e3a971bceb111b1c0019840f
SHA256

4f69b5d1cff3192bd76f7c54861882346291f2a1a80d2d04ab3aae93e938d4d7
SHA512

badac893360f68c5c609319f52fc683346823ff6a65c2a3532ac2ac67dfafbe702bf869587d220b72432680417147d45d54857c9302e6bf0cf5c84ddbbb749af
SSDEEP

24576:tyYJQqY8/pcfWyd067QY5g8LkCKBRmrC1/mwmQtJTTij:IYiXWsE4g8LLKBRhMwz

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2528-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
1760	z8737506.exe
1304	z6453489.exe
3260	z8650141.exe
1692	z9756863.exe
3200	q4071845.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4f69b5d1cff3192bd76f7c54861882346291f2a1a80d2d04ab3aae93e938d4d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8737506.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6453489.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8650141.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9756863.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3200 set thread context of 2528	3200	q4071845.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5036	3200	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2528	AppLaunch.exe
2528	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1760	2188	4f69b5d1cff3192bd76f7c54861882346291f2a1a80d2d04ab3aae93e938d4d7.exe	87
PID 2188 wrote to memory of 1760	2188	4f69b5d1cff3192bd76f7c54861882346291f2a1a80d2d04ab3aae93e938d4d7.exe	87
PID 2188 wrote to memory of 1760	2188	4f69b5d1cff3192bd76f7c54861882346291f2a1a80d2d04ab3aae93e938d4d7.exe	87
PID 1760 wrote to memory of 1304	1760	z8737506.exe	88
PID 1760 wrote to memory of 1304	1760	z8737506.exe	88
PID 1760 wrote to memory of 1304	1760	z8737506.exe	88
PID 1304 wrote to memory of 3260	1304	z6453489.exe	89
PID 1304 wrote to memory of 3260	1304	z6453489.exe	89
PID 1304 wrote to memory of 3260	1304	z6453489.exe	89
PID 3260 wrote to memory of 1692	3260	z8650141.exe	90
PID 3260 wrote to memory of 1692	3260	z8650141.exe	90
PID 3260 wrote to memory of 1692	3260	z8650141.exe	90
PID 1692 wrote to memory of 3200	1692	z9756863.exe	91
PID 1692 wrote to memory of 3200	1692	z9756863.exe	91
PID 1692 wrote to memory of 3200	1692	z9756863.exe	91
PID 3200 wrote to memory of 2528	3200	q4071845.exe	92
PID 3200 wrote to memory of 2528	3200	q4071845.exe	92
PID 3200 wrote to memory of 2528	3200	q4071845.exe	92
PID 3200 wrote to memory of 2528	3200	q4071845.exe	92
PID 3200 wrote to memory of 2528	3200	q4071845.exe	92
PID 3200 wrote to memory of 2528	3200	q4071845.exe	92
PID 3200 wrote to memory of 2528	3200	q4071845.exe	92
PID 3200 wrote to memory of 2528	3200	q4071845.exe	92

C:\Users\Admin\AppData\Local\Temp\4f69b5d1cff3192bd76f7c54861882346291f2a1a80d2d04ab3aae93e938d4d7.exe
"C:\Users\Admin\AppData\Local\Temp\4f69b5d1cff3192bd76f7c54861882346291f2a1a80d2d04ab3aae93e938d4d7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8737506.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8737506.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6453489.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6453489.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8650141.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8650141.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9756863.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9756863.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4071845.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4071845.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 580
        7⤵
        Program crash
        
        PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3200 -ip 3200
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8737506.exe

Filesize
960KB

MD5
86341a2fea0df9b93625ae59bff96ff7

SHA1
362652fac9d991d7364164b2d96c1b41b183d774

SHA256
9938af23533f58d28f560c7b462cb160faf3fe9970b70e45a1ea9b5c1f45e600

SHA512
68ebaf1b1bc8583bb0e2df06601bce5c4da9135e664eb66667253e8279bf42574ecab101195be59fc724f79de8daaaa98dbf88af6307d56d5313832266c7e09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8737506.exe

Filesize
960KB

MD5
86341a2fea0df9b93625ae59bff96ff7

SHA1
362652fac9d991d7364164b2d96c1b41b183d774

SHA256
9938af23533f58d28f560c7b462cb160faf3fe9970b70e45a1ea9b5c1f45e600

SHA512
68ebaf1b1bc8583bb0e2df06601bce5c4da9135e664eb66667253e8279bf42574ecab101195be59fc724f79de8daaaa98dbf88af6307d56d5313832266c7e09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6453489.exe

Filesize
777KB

MD5
0511ea40d1fa19e14434fd870ea508f2

SHA1
d2a441ba187ecf07b37ef86a811cec934efc7d93

SHA256
0e3b1973837c0a88dd5065670a524b4ec2386fb9aa094c64ee29d22bd399658e

SHA512
127d59f4e57fc6b8fac6ea7c12273521ad91dda4f8bc43b834c6c22d23286a6a10f837e2b45b259f94517f01c9d02ba443878ffa8a9067dcca152649a2ec1b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6453489.exe

Filesize
777KB

MD5
0511ea40d1fa19e14434fd870ea508f2

SHA1
d2a441ba187ecf07b37ef86a811cec934efc7d93

SHA256
0e3b1973837c0a88dd5065670a524b4ec2386fb9aa094c64ee29d22bd399658e

SHA512
127d59f4e57fc6b8fac6ea7c12273521ad91dda4f8bc43b834c6c22d23286a6a10f837e2b45b259f94517f01c9d02ba443878ffa8a9067dcca152649a2ec1b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8650141.exe

Filesize
594KB

MD5
3fabccc131fff7c07a52cfe5da8d7343

SHA1
9bbf3772cb14624bb762e3820c236862488adf54

SHA256
7be05c555a82e2835bf33b6a6901e4cb75768212b574e575cd2e71d62a38d4c4

SHA512
6f1a3a5d3174dffdff4c8d69e85398073e9104168d685269c217d07e9d07cb520d7c32d513260d52aab5b2348c5a0fe01abe51603d9972c4484d27fd362535b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8650141.exe

Filesize
594KB

MD5
3fabccc131fff7c07a52cfe5da8d7343

SHA1
9bbf3772cb14624bb762e3820c236862488adf54

SHA256
7be05c555a82e2835bf33b6a6901e4cb75768212b574e575cd2e71d62a38d4c4

SHA512
6f1a3a5d3174dffdff4c8d69e85398073e9104168d685269c217d07e9d07cb520d7c32d513260d52aab5b2348c5a0fe01abe51603d9972c4484d27fd362535b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9756863.exe

Filesize
334KB

MD5
f18fa14f354419ee0165005d517c4b91

SHA1
e8923f1b5ded846dbe460d8f0c104cd889f1bdca

SHA256
4c27196be4832bfeca9421f297f4ddb580006c08468bcfc7b3272e5d0aa6cfef

SHA512
e0fbf93358930153b232c0f7765f7058d6554b6a384a3bb08d9480e2f6dbb4f2d53af442b73964110706179756e082432ae7d32e4f5712ab07a0d7a4d4614601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9756863.exe

Filesize
334KB

MD5
f18fa14f354419ee0165005d517c4b91

SHA1
e8923f1b5ded846dbe460d8f0c104cd889f1bdca

SHA256
4c27196be4832bfeca9421f297f4ddb580006c08468bcfc7b3272e5d0aa6cfef

SHA512
e0fbf93358930153b232c0f7765f7058d6554b6a384a3bb08d9480e2f6dbb4f2d53af442b73964110706179756e082432ae7d32e4f5712ab07a0d7a4d4614601

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4071845.exe

Filesize
221KB

MD5
fe38cf7303e8659c2f0f8b1352297842

SHA1
1df7c5995cd6e91177dd5cca22ae801d0da81144

SHA256
7385e5f30ef6ab52d4f557a20ebd5be50f409108260aa16caf9d516a452627f6

SHA512
ed54e9fd24c392fe20696b8add7a1a36b1b7b1b00e43c820764fe3008ebe4d2293a3aab22f5a2cf24b2fee8070b250ec6cb87b18fb96c3dc90ca3ba349f91788

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4071845.exe

Filesize
221KB

MD5
fe38cf7303e8659c2f0f8b1352297842

SHA1
1df7c5995cd6e91177dd5cca22ae801d0da81144

SHA256
7385e5f30ef6ab52d4f557a20ebd5be50f409108260aa16caf9d516a452627f6

SHA512
ed54e9fd24c392fe20696b8add7a1a36b1b7b1b00e43c820764fe3008ebe4d2293a3aab22f5a2cf24b2fee8070b250ec6cb87b18fb96c3dc90ca3ba349f91788

Download Submit
memory/2528-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2528-36-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-37-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-39-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download