healer | 01cbb546edbbf2f07c95b072826e1243baa3062126a5344486411ee9ab5e290a

Analysis

max time kernel
215s
max time network
235s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01cbb546edbbf2f07c95b072826e1243baa3062126a5344486411ee9ab5e290a.exe
Size

1.1MB
MD5

11f83175ec6575abd45436c7668c01bc
SHA1

57f0e1b4781ba132de91e5576cd364d50f10bb3e
SHA256

01cbb546edbbf2f07c95b072826e1243baa3062126a5344486411ee9ab5e290a
SHA512

16f3258979e68384a2c54b81eec3a091c3b8845dff3b08c8e4a4f104c85821bf6865e2104d5357c69143a63929bc23123831c570ace1a770ca9d0c6f625db813
SSDEEP

24576:pyhndiwDNEpl1e5cW33ARdhCg2i261WBu:cxQwupl1EcWnAfW61WB

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2900-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 5 IoCs

pid	Process
3700	z8399060.exe
1892	z9172143.exe
720	z8621977.exe
2584	z9042311.exe
4744	q3949953.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9042311.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	01cbb546edbbf2f07c95b072826e1243baa3062126a5344486411ee9ab5e290a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8399060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9172143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8621977.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4744 set thread context of 2900	4744	q3949953.exe	95

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	4744	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2900	AppLaunch.exe
2900	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 3700	1908	01cbb546edbbf2f07c95b072826e1243baa3062126a5344486411ee9ab5e290a.exe	88
PID 1908 wrote to memory of 3700	1908	01cbb546edbbf2f07c95b072826e1243baa3062126a5344486411ee9ab5e290a.exe	88
PID 1908 wrote to memory of 3700	1908	01cbb546edbbf2f07c95b072826e1243baa3062126a5344486411ee9ab5e290a.exe	88
PID 3700 wrote to memory of 1892	3700	z8399060.exe	89
PID 3700 wrote to memory of 1892	3700	z8399060.exe	89
PID 3700 wrote to memory of 1892	3700	z8399060.exe	89
PID 1892 wrote to memory of 720	1892	z9172143.exe	90
PID 1892 wrote to memory of 720	1892	z9172143.exe	90
PID 1892 wrote to memory of 720	1892	z9172143.exe	90
PID 720 wrote to memory of 2584	720	z8621977.exe	91
PID 720 wrote to memory of 2584	720	z8621977.exe	91
PID 720 wrote to memory of 2584	720	z8621977.exe	91
PID 2584 wrote to memory of 4744	2584	z9042311.exe	93
PID 2584 wrote to memory of 4744	2584	z9042311.exe	93
PID 2584 wrote to memory of 4744	2584	z9042311.exe	93
PID 4744 wrote to memory of 4112	4744	q3949953.exe	94
PID 4744 wrote to memory of 4112	4744	q3949953.exe	94
PID 4744 wrote to memory of 4112	4744	q3949953.exe	94
PID 4744 wrote to memory of 2900	4744	q3949953.exe	95
PID 4744 wrote to memory of 2900	4744	q3949953.exe	95
PID 4744 wrote to memory of 2900	4744	q3949953.exe	95
PID 4744 wrote to memory of 2900	4744	q3949953.exe	95
PID 4744 wrote to memory of 2900	4744	q3949953.exe	95
PID 4744 wrote to memory of 2900	4744	q3949953.exe	95
PID 4744 wrote to memory of 2900	4744	q3949953.exe	95
PID 4744 wrote to memory of 2900	4744	q3949953.exe	95

C:\Users\Admin\AppData\Local\Temp\01cbb546edbbf2f07c95b072826e1243baa3062126a5344486411ee9ab5e290a.exe
"C:\Users\Admin\AppData\Local\Temp\01cbb546edbbf2f07c95b072826e1243baa3062126a5344486411ee9ab5e290a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8399060.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8399060.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9172143.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9172143.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8621977.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8621977.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9042311.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9042311.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3949953.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3949953.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 584
        7⤵
        Program crash
        
        PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4744 -ip 4744
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8399060.exe

Filesize
997KB

MD5
125889453ebdfbb81962871ca60c211d

SHA1
4f91919f47efc655d0962a94bc64ca49827fa27a

SHA256
dee10fed2b628fa64dbdb0522cd335eb7bafdbc9cc2071debcd005b3f1f90ac5

SHA512
0c298602f1dfbbf276498834990303cb8e4747a90e7b0e686569ea6aeab66416ddef5589f79d281f536400f90952fbeb51ba90ba615bca7f237e8b04077a44d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8399060.exe

Filesize
997KB

MD5
125889453ebdfbb81962871ca60c211d

SHA1
4f91919f47efc655d0962a94bc64ca49827fa27a

SHA256
dee10fed2b628fa64dbdb0522cd335eb7bafdbc9cc2071debcd005b3f1f90ac5

SHA512
0c298602f1dfbbf276498834990303cb8e4747a90e7b0e686569ea6aeab66416ddef5589f79d281f536400f90952fbeb51ba90ba615bca7f237e8b04077a44d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9172143.exe

Filesize
814KB

MD5
a1432de0cbe7b5de9aedd93de7db99a2

SHA1
54be7b3cdc1db5d246a8d34b42cdd1df249d1a60

SHA256
dba4b377929fb8874341cf742cd19f210a3da8a744c8ee5f8f66a08d1f7ddacc

SHA512
68157e9167727b79c77ff131e40c050f448a0284500b4527111673af6f085b0d88c98dbee7f7371b8ccc32b62b36c8477590c95936eb0630ed5f18c379d3f175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9172143.exe

Filesize
814KB

MD5
a1432de0cbe7b5de9aedd93de7db99a2

SHA1
54be7b3cdc1db5d246a8d34b42cdd1df249d1a60

SHA256
dba4b377929fb8874341cf742cd19f210a3da8a744c8ee5f8f66a08d1f7ddacc

SHA512
68157e9167727b79c77ff131e40c050f448a0284500b4527111673af6f085b0d88c98dbee7f7371b8ccc32b62b36c8477590c95936eb0630ed5f18c379d3f175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8621977.exe

Filesize
632KB

MD5
21066eb79ee78c2ebf306274d5f2af33

SHA1
4c1b7dafd108438d92cd94c5e7947618ee84e2e9

SHA256
c19f6da89b1d941751c55f801f2857ccd16c60b06b7dc0f4aeed5b0e8ab6b7a7

SHA512
04f1b24e8d03cf161a85b8ced045b8f657406333ea66912951aba337e03ceb1cab2b03f63846b8247eace64153f90bc9c9debc02edd1447ddb1f9d7a41ef49a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8621977.exe

Filesize
632KB

MD5
21066eb79ee78c2ebf306274d5f2af33

SHA1
4c1b7dafd108438d92cd94c5e7947618ee84e2e9

SHA256
c19f6da89b1d941751c55f801f2857ccd16c60b06b7dc0f4aeed5b0e8ab6b7a7

SHA512
04f1b24e8d03cf161a85b8ced045b8f657406333ea66912951aba337e03ceb1cab2b03f63846b8247eace64153f90bc9c9debc02edd1447ddb1f9d7a41ef49a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9042311.exe

Filesize
354KB

MD5
55a99381d7aa126fa46789c95c1dcd91

SHA1
9d6ac425831d190b47dc8a3eadd537f0b9f23041

SHA256
7c4ef10fac562ab5f2542731bdc9e4599cf466bcf831a5dafd8673907883b536

SHA512
50c21a070f5203c0078e13dd24277c1ea8cfee9fd7e82053f630d0d9090b5a12b2c08a71160f17e5b272edea3e6bf3c2c56a898ffad3aea72d277ca6253bf6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9042311.exe

Filesize
354KB

MD5
55a99381d7aa126fa46789c95c1dcd91

SHA1
9d6ac425831d190b47dc8a3eadd537f0b9f23041

SHA256
7c4ef10fac562ab5f2542731bdc9e4599cf466bcf831a5dafd8673907883b536

SHA512
50c21a070f5203c0078e13dd24277c1ea8cfee9fd7e82053f630d0d9090b5a12b2c08a71160f17e5b272edea3e6bf3c2c56a898ffad3aea72d277ca6253bf6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3949953.exe

Filesize
250KB

MD5
6ca9edc49b9719b5377829c0fe76c982

SHA1
104e69e28ae2767cac31f6b8c8c53cfaca3722ff

SHA256
bdf128e0b3ea9e6380174a17bf8bbbe834ef131fd092ecd328563e4d905882ad

SHA512
3b83136c30641b8726ee48f9a950b0f4ca67a661d5aa105a53d2b5bb8420d925852fd6280c96d6e5393c38a10f94d9646221b6f33deb7978f8cfb6de5bf6ffce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3949953.exe

Filesize
250KB

MD5
6ca9edc49b9719b5377829c0fe76c982

SHA1
104e69e28ae2767cac31f6b8c8c53cfaca3722ff

SHA256
bdf128e0b3ea9e6380174a17bf8bbbe834ef131fd092ecd328563e4d905882ad

SHA512
3b83136c30641b8726ee48f9a950b0f4ca67a661d5aa105a53d2b5bb8420d925852fd6280c96d6e5393c38a10f94d9646221b6f33deb7978f8cfb6de5bf6ffce

Download Submit
memory/2900-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2900-36-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/2900-37-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/2900-39-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download