healer | c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab

Analysis

max time kernel
171s
max time network
242s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26274fe67b8533068c77b7ab5af38976.exe
Size

1.1MB
MD5

26274fe67b8533068c77b7ab5af38976
SHA1

0d26933a593c4329006e5e3b7685f747f87c6e3f
SHA256

c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab
SHA512

33d48cb553fb022316e7bb7c42b0298f43c0f1c6c9a40550d9ba87050137d5b706397cbc31ad52ec8fdee2a90da2e71cfc94091d44f6b0bc908f9a17f5a529fe
SSDEEP

24576:qyrGGvIIhhYElXPjNecSYbp33HdnMSeAOtyGPr9MEQj68epVVHzuln4:xrbvIah3VPjNmYNHHdnNLO1MNj68eJSh

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/3940-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
1164	z6040409.exe
4332	z5855806.exe
3196	z0665409.exe
2344	z8199432.exe
4680	q6931783.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	26274fe67b8533068c77b7ab5af38976.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6040409.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5855806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0665409.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z8199432.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 3940	4680	q6931783.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	4680	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3940	AppLaunch.exe
3940	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 1164	3200	26274fe67b8533068c77b7ab5af38976.exe	90
PID 3200 wrote to memory of 1164	3200	26274fe67b8533068c77b7ab5af38976.exe	90
PID 3200 wrote to memory of 1164	3200	26274fe67b8533068c77b7ab5af38976.exe	90
PID 1164 wrote to memory of 4332	1164	z6040409.exe	91
PID 1164 wrote to memory of 4332	1164	z6040409.exe	91
PID 1164 wrote to memory of 4332	1164	z6040409.exe	91
PID 4332 wrote to memory of 3196	4332	z5855806.exe	92
PID 4332 wrote to memory of 3196	4332	z5855806.exe	92
PID 4332 wrote to memory of 3196	4332	z5855806.exe	92
PID 3196 wrote to memory of 2344	3196	z0665409.exe	93
PID 3196 wrote to memory of 2344	3196	z0665409.exe	93
PID 3196 wrote to memory of 2344	3196	z0665409.exe	93
PID 2344 wrote to memory of 4680	2344	z8199432.exe	94
PID 2344 wrote to memory of 4680	2344	z8199432.exe	94
PID 2344 wrote to memory of 4680	2344	z8199432.exe	94
PID 4680 wrote to memory of 3940	4680	q6931783.exe	95
PID 4680 wrote to memory of 3940	4680	q6931783.exe	95
PID 4680 wrote to memory of 3940	4680	q6931783.exe	95
PID 4680 wrote to memory of 3940	4680	q6931783.exe	95
PID 4680 wrote to memory of 3940	4680	q6931783.exe	95
PID 4680 wrote to memory of 3940	4680	q6931783.exe	95
PID 4680 wrote to memory of 3940	4680	q6931783.exe	95
PID 4680 wrote to memory of 3940	4680	q6931783.exe	95

C:\Users\Admin\AppData\Local\Temp\26274fe67b8533068c77b7ab5af38976.exe
"C:\Users\Admin\AppData\Local\Temp\26274fe67b8533068c77b7ab5af38976.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6040409.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6040409.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855806.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855806.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0665409.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0665409.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8199432.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8199432.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6931783.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6931783.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 568
        7⤵
        Program crash
        
        PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4680 -ip 4680
1⤵
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6040409.exe

Filesize
995KB

MD5
6f74ee41e3adc83375c91ce8ad937f64

SHA1
43cc9ef99c6c491d946091d10820de91cfa11c97

SHA256
6e44ef996a87d1c92fc071f150f28e97aa309b40bac2bfa9c1e3c6386b7c68bc

SHA512
1d8bb30ddd47e5b38d78e43e1bcabc8b5ba9077f8b01083cc67c9272f570b27d59f15e2c9c12bb6e41cf229dbbc67f2b64ac56783549980bf1859552bf17435b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6040409.exe

Filesize
995KB

MD5
6f74ee41e3adc83375c91ce8ad937f64

SHA1
43cc9ef99c6c491d946091d10820de91cfa11c97

SHA256
6e44ef996a87d1c92fc071f150f28e97aa309b40bac2bfa9c1e3c6386b7c68bc

SHA512
1d8bb30ddd47e5b38d78e43e1bcabc8b5ba9077f8b01083cc67c9272f570b27d59f15e2c9c12bb6e41cf229dbbc67f2b64ac56783549980bf1859552bf17435b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855806.exe

Filesize
815KB

MD5
8ec635529f533d78d1846b8199e658bc

SHA1
3add0981881a71b8976f44909e7cee9dee5ae963

SHA256
5ec43d96b29288c0388786794a673000069de2fcba85ff37a7c000fb4d020c54

SHA512
e0cd8b1505ea96405dc73b363da8704b028c7413686b4ec050ffb5f28957fd646555a4cc6462481d19e4818050114760dfb4519ae48166402fac9dfa185ab10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855806.exe

Filesize
815KB

MD5
8ec635529f533d78d1846b8199e658bc

SHA1
3add0981881a71b8976f44909e7cee9dee5ae963

SHA256
5ec43d96b29288c0388786794a673000069de2fcba85ff37a7c000fb4d020c54

SHA512
e0cd8b1505ea96405dc73b363da8704b028c7413686b4ec050ffb5f28957fd646555a4cc6462481d19e4818050114760dfb4519ae48166402fac9dfa185ab10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0665409.exe

Filesize
631KB

MD5
01c7f8529f7c9d3318a78dc7fd6545be

SHA1
eb0d9c4231402a2af5703dbb67fd21220a0e0aea

SHA256
bfc6a39c9791410a234aee5b40bbaafd0878d313b50634465ca54c53c07fe204

SHA512
028e7623cb767927f5495b66f216c2a34cccd91e008a77baa897fcea490d9cd40e27b0903276257ef782682dc96b720ae37b54c4d17b69d32a900f7fd572ed79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0665409.exe

Filesize
631KB

MD5
01c7f8529f7c9d3318a78dc7fd6545be

SHA1
eb0d9c4231402a2af5703dbb67fd21220a0e0aea

SHA256
bfc6a39c9791410a234aee5b40bbaafd0878d313b50634465ca54c53c07fe204

SHA512
028e7623cb767927f5495b66f216c2a34cccd91e008a77baa897fcea490d9cd40e27b0903276257ef782682dc96b720ae37b54c4d17b69d32a900f7fd572ed79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8199432.exe

Filesize
354KB

MD5
92a5fbdcaf01e05d8f82907a78df632b

SHA1
1e0672d5f85636d5a7fd7b7467f70f01ca6aade9

SHA256
6dcbf4738524c2240f3ea8fd6e31de0cb77827e66ed7b27638f8bca8de5d79f4

SHA512
03606af800346e8708016b7779c22e576cc1f5f7f5c8dca217e6fb2a1cd89a93e4fc6a176ba30e5f25e3a0a643833622bb796003bc44508a0a2b8e0cb1c57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8199432.exe

Filesize
354KB

MD5
92a5fbdcaf01e05d8f82907a78df632b

SHA1
1e0672d5f85636d5a7fd7b7467f70f01ca6aade9

SHA256
6dcbf4738524c2240f3ea8fd6e31de0cb77827e66ed7b27638f8bca8de5d79f4

SHA512
03606af800346e8708016b7779c22e576cc1f5f7f5c8dca217e6fb2a1cd89a93e4fc6a176ba30e5f25e3a0a643833622bb796003bc44508a0a2b8e0cb1c57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6931783.exe

Filesize
250KB

MD5
db3ee2dac8a6245e3e8209b11409cc97

SHA1
41d193bbc36ffe7ba3faefe18e58de6ec9995285

SHA256
54b654d4cab523977ce6e161855b2997989b8aa0ba27a0db48d084935af1ba6b

SHA512
61c14f494ba8b0441300520ca5e759ac2148b021e2e25103e2c3363e1a1dad4b2612f0a7867df8ecfe419fddc2cf9c1a632cb68e15d3f038ec28df8f41802878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6931783.exe

Filesize
250KB

MD5
db3ee2dac8a6245e3e8209b11409cc97

SHA1
41d193bbc36ffe7ba3faefe18e58de6ec9995285

SHA256
54b654d4cab523977ce6e161855b2997989b8aa0ba27a0db48d084935af1ba6b

SHA512
61c14f494ba8b0441300520ca5e759ac2148b021e2e25103e2c3363e1a1dad4b2612f0a7867df8ecfe419fddc2cf9c1a632cb68e15d3f038ec28df8f41802878

Download Submit
memory/3940-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3940-36-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/3940-37-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/3940-39-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download