healer | febf4dbb5e35cd83410431aff439b45a830b2b372ad65586701e733e6e7f32a1

Analysis

max time kernel
194s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

febf4dbb5e35cd83410431aff439b45a830b2b372ad65586701e733e6e7f32a1.exe
Size

1.0MB
MD5

595b16bd709faf941122634c56e94ef1
SHA1

cf3f70beaa9a7b186eb886eee4d847f35e5601b4
SHA256

febf4dbb5e35cd83410431aff439b45a830b2b372ad65586701e733e6e7f32a1
SHA512

5e4478a39ab929c56b978d3027c84d3526f95c99e142402cca405eb5e46f72f70e25914fd64ffb774bc2f1a5602fcf6f9f38952ec46d06050b9893ad71dee0de
SSDEEP

24576:LyAz23fRfc5hXg68haO3TCeQO4ZAG9OAx1Wy1P:+g23ZEbz6CeQOwf9OA//

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1372-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
2808	z5458507.exe
1900	z6868505.exe
3828	z2647550.exe
3844	z1992445.exe
2244	q8213567.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	febf4dbb5e35cd83410431aff439b45a830b2b372ad65586701e733e6e7f32a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5458507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6868505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2647550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z1992445.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2244 set thread context of 1372	2244	q8213567.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2060	2244	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1372	AppLaunch.exe
1372	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 2808	4124	febf4dbb5e35cd83410431aff439b45a830b2b372ad65586701e733e6e7f32a1.exe	89
PID 4124 wrote to memory of 2808	4124	febf4dbb5e35cd83410431aff439b45a830b2b372ad65586701e733e6e7f32a1.exe	89
PID 4124 wrote to memory of 2808	4124	febf4dbb5e35cd83410431aff439b45a830b2b372ad65586701e733e6e7f32a1.exe	89
PID 2808 wrote to memory of 1900	2808	z5458507.exe	90
PID 2808 wrote to memory of 1900	2808	z5458507.exe	90
PID 2808 wrote to memory of 1900	2808	z5458507.exe	90
PID 1900 wrote to memory of 3828	1900	z6868505.exe	91
PID 1900 wrote to memory of 3828	1900	z6868505.exe	91
PID 1900 wrote to memory of 3828	1900	z6868505.exe	91
PID 3828 wrote to memory of 3844	3828	z2647550.exe	92
PID 3828 wrote to memory of 3844	3828	z2647550.exe	92
PID 3828 wrote to memory of 3844	3828	z2647550.exe	92
PID 3844 wrote to memory of 2244	3844	z1992445.exe	93
PID 3844 wrote to memory of 2244	3844	z1992445.exe	93
PID 3844 wrote to memory of 2244	3844	z1992445.exe	93
PID 2244 wrote to memory of 1372	2244	q8213567.exe	95
PID 2244 wrote to memory of 1372	2244	q8213567.exe	95
PID 2244 wrote to memory of 1372	2244	q8213567.exe	95
PID 2244 wrote to memory of 1372	2244	q8213567.exe	95
PID 2244 wrote to memory of 1372	2244	q8213567.exe	95
PID 2244 wrote to memory of 1372	2244	q8213567.exe	95
PID 2244 wrote to memory of 1372	2244	q8213567.exe	95
PID 2244 wrote to memory of 1372	2244	q8213567.exe	95

C:\Users\Admin\AppData\Local\Temp\febf4dbb5e35cd83410431aff439b45a830b2b372ad65586701e733e6e7f32a1.exe
"C:\Users\Admin\AppData\Local\Temp\febf4dbb5e35cd83410431aff439b45a830b2b372ad65586701e733e6e7f32a1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5458507.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5458507.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6868505.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6868505.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2647550.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2647550.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1992445.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1992445.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3844
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8213567.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8213567.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 156
        7⤵
        Program crash
        
        PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2244 -ip 2244
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5458507.exe

Filesize
963KB

MD5
4b0fcb8fa08c31732613b198d79bba88

SHA1
be30c0cd02cd62eff6a56111726ba285aa09f7cd

SHA256
004010171cfa6ce34938a8e8592e1b94bbe98dbdaef51c63e8641514257f7644

SHA512
7407a59f689d3ead1e86c92582d794d49c5fb1d17ee42e52f1efd81aa00e5ba698094e09dbbb4178e9f093e78d36c01e5e6d45bfc8da4be45231784f73303951

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5458507.exe

Filesize
963KB

MD5
4b0fcb8fa08c31732613b198d79bba88

SHA1
be30c0cd02cd62eff6a56111726ba285aa09f7cd

SHA256
004010171cfa6ce34938a8e8592e1b94bbe98dbdaef51c63e8641514257f7644

SHA512
7407a59f689d3ead1e86c92582d794d49c5fb1d17ee42e52f1efd81aa00e5ba698094e09dbbb4178e9f093e78d36c01e5e6d45bfc8da4be45231784f73303951

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6868505.exe

Filesize
782KB

MD5
55dd467cf55c78390ee3fc93464cb3ca

SHA1
6524a694d2a7fc73a14dda912cf053832e5064b5

SHA256
d2340d13fb29cbd69041b83b6f09f87a8fa85017a87a2bfe3299a3ebcb72476c

SHA512
adc06e6647687001919540ce3ca8ee1541586e75bc16242a96163db2329338e36ff52b496657acdbdd0c2776030706ec1c5c09186462a433a756cfda05f7a0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6868505.exe

Filesize
782KB

MD5
55dd467cf55c78390ee3fc93464cb3ca

SHA1
6524a694d2a7fc73a14dda912cf053832e5064b5

SHA256
d2340d13fb29cbd69041b83b6f09f87a8fa85017a87a2bfe3299a3ebcb72476c

SHA512
adc06e6647687001919540ce3ca8ee1541586e75bc16242a96163db2329338e36ff52b496657acdbdd0c2776030706ec1c5c09186462a433a756cfda05f7a0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2647550.exe

Filesize
599KB

MD5
94aa8db27f02db5a594988dbf4bb9ccf

SHA1
709f64dc83fdad2565c8907ec607bd73f4a7771f

SHA256
4f9bf2f27144ce3793f03ff5ac942adf7cb476c5ced576e90bcb4bc444e4e202

SHA512
2dc1b9348fd700ade7eb42d12fdcf2011b0fbfc0016fcbc5b18f8f4f24057d1e29341dc52d2a275b0cf686b34ff04c2f52add2ca15d9096ff12b2a82fb5ffc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2647550.exe

Filesize
599KB

MD5
94aa8db27f02db5a594988dbf4bb9ccf

SHA1
709f64dc83fdad2565c8907ec607bd73f4a7771f

SHA256
4f9bf2f27144ce3793f03ff5ac942adf7cb476c5ced576e90bcb4bc444e4e202

SHA512
2dc1b9348fd700ade7eb42d12fdcf2011b0fbfc0016fcbc5b18f8f4f24057d1e29341dc52d2a275b0cf686b34ff04c2f52add2ca15d9096ff12b2a82fb5ffc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1992445.exe

Filesize
337KB

MD5
aa0ebe39a7bb171ff2f2a3582e5da09a

SHA1
88b0a3fa101216152ab72aaf93765a62068c3bb5

SHA256
24e585e95acc9ff724ac4967263948afa93fb6767edf17d7522b02cbf52ec5c2

SHA512
1491ccb598746a85a9048d81e9fdeeac288a16c402cfb73226a31de106f3d795467584583104bb70d73e41f3f777b2c7d10ca8a80224baf6cf128e88ab5b1f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1992445.exe

Filesize
337KB

MD5
aa0ebe39a7bb171ff2f2a3582e5da09a

SHA1
88b0a3fa101216152ab72aaf93765a62068c3bb5

SHA256
24e585e95acc9ff724ac4967263948afa93fb6767edf17d7522b02cbf52ec5c2

SHA512
1491ccb598746a85a9048d81e9fdeeac288a16c402cfb73226a31de106f3d795467584583104bb70d73e41f3f777b2c7d10ca8a80224baf6cf128e88ab5b1f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8213567.exe

Filesize
217KB

MD5
c00d3cc3cf5346da746955eb547fd1e0

SHA1
e2d85fe4f195dcd9237792137a0faa5bdf7d1b71

SHA256
b4a7d388a92483077207fb971d70c26241bd21254da0a462cdea0dd1e2dcdf56

SHA512
6bac8133239bcbf783826dbc565d367e7c2621539184e447c894ac7cef7671dd2381122b12561baef1be777ab7f91a2623fc611c1a16cdf5d74891aa925e43a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8213567.exe

Filesize
217KB

MD5
c00d3cc3cf5346da746955eb547fd1e0

SHA1
e2d85fe4f195dcd9237792137a0faa5bdf7d1b71

SHA256
b4a7d388a92483077207fb971d70c26241bd21254da0a462cdea0dd1e2dcdf56

SHA512
6bac8133239bcbf783826dbc565d367e7c2621539184e447c894ac7cef7671dd2381122b12561baef1be777ab7f91a2623fc611c1a16cdf5d74891aa925e43a3

Download Submit
memory/1372-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1372-36-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/1372-37-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download
memory/1372-39-0x00000000740A0000-0x0000000074850000-memory.dmp

Filesize
7.7MB

Download