healer | d0c7cdc3d14cff42eeef5a0b7b7947929c338a4be148099886f58d7052f5d7a5

Analysis

max time kernel
213s
max time network
227s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 01:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d0c7cdc3d14cff42eeef5a0b7b7947929c338a4be148099886f58d7052f5d7a5.exe
Size

1.0MB
MD5

a737a998ceeaf29e58d3ef21d274af76
SHA1

f06d99ed7f79df0351136e1a4b35c67c104407ff
SHA256

d0c7cdc3d14cff42eeef5a0b7b7947929c338a4be148099886f58d7052f5d7a5
SHA512

8138c420740f4ab4906868eb70af9b0b1705af50e8b7cdc98d688cbabac8657f3496e3a18cdacb206abbed992473ccf8e00ba76cb97a7a579f0780bb76617d95
SSDEEP

24576:wydJ8j9l9V8Jg0PcSZALJluvmZrd5gs0kHrkenj8PT/g:3dJ+5V8JgIALJqmZrd5t0Uoenjw

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/876-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Executes dropped EXE 6 IoCs

pid	Process
5088	z1375193.exe
816	z9344938.exe
4948	z1057820.exe
1072	z2177828.exe
4224	q9361826.exe
4900	r8445189.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d0c7cdc3d14cff42eeef5a0b7b7947929c338a4be148099886f58d7052f5d7a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1375193.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9344938.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1057820.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2177828.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 876	4224	q9361826.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1108	4224	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
876	AppLaunch.exe
876	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	AppLaunch.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 5088	2172	d0c7cdc3d14cff42eeef5a0b7b7947929c338a4be148099886f58d7052f5d7a5.exe	83
PID 2172 wrote to memory of 5088	2172	d0c7cdc3d14cff42eeef5a0b7b7947929c338a4be148099886f58d7052f5d7a5.exe	83
PID 2172 wrote to memory of 5088	2172	d0c7cdc3d14cff42eeef5a0b7b7947929c338a4be148099886f58d7052f5d7a5.exe	83
PID 5088 wrote to memory of 816	5088	z1375193.exe	86
PID 5088 wrote to memory of 816	5088	z1375193.exe	86
PID 5088 wrote to memory of 816	5088	z1375193.exe	86
PID 816 wrote to memory of 4948	816	z9344938.exe	88
PID 816 wrote to memory of 4948	816	z9344938.exe	88
PID 816 wrote to memory of 4948	816	z9344938.exe	88
PID 4948 wrote to memory of 1072	4948	z1057820.exe	89
PID 4948 wrote to memory of 1072	4948	z1057820.exe	89
PID 4948 wrote to memory of 1072	4948	z1057820.exe	89
PID 1072 wrote to memory of 4224	1072	z2177828.exe	90
PID 1072 wrote to memory of 4224	1072	z2177828.exe	90
PID 1072 wrote to memory of 4224	1072	z2177828.exe	90
PID 4224 wrote to memory of 3996	4224	q9361826.exe	91
PID 4224 wrote to memory of 3996	4224	q9361826.exe	91
PID 4224 wrote to memory of 3996	4224	q9361826.exe	91
PID 4224 wrote to memory of 876	4224	q9361826.exe	92
PID 4224 wrote to memory of 876	4224	q9361826.exe	92
PID 4224 wrote to memory of 876	4224	q9361826.exe	92
PID 4224 wrote to memory of 876	4224	q9361826.exe	92
PID 4224 wrote to memory of 876	4224	q9361826.exe	92
PID 4224 wrote to memory of 876	4224	q9361826.exe	92
PID 4224 wrote to memory of 876	4224	q9361826.exe	92
PID 4224 wrote to memory of 876	4224	q9361826.exe	92
PID 1072 wrote to memory of 4900	1072	z2177828.exe	99
PID 1072 wrote to memory of 4900	1072	z2177828.exe	99
PID 1072 wrote to memory of 4900	1072	z2177828.exe	99

C:\Users\Admin\AppData\Local\Temp\d0c7cdc3d14cff42eeef5a0b7b7947929c338a4be148099886f58d7052f5d7a5.exe
"C:\Users\Admin\AppData\Local\Temp\d0c7cdc3d14cff42eeef5a0b7b7947929c338a4be148099886f58d7052f5d7a5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1375193.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1375193.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9344938.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9344938.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1057820.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1057820.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2177828.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2177828.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9361826.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9361826.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 572
        7⤵
        Program crash
        
        PID:1108
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8445189.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8445189.exe
        6⤵
        Executes dropped EXE
        
        PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4224 -ip 4224
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1375193.exe

Filesize
969KB

MD5
a612da1a6d3760c2cca90b6cfc4094be

SHA1
df9ad6a702d0f8a2851fec0fd2a1a39a14afd469

SHA256
82445da477a7173e190bfe07e54452bf6708b9ccc69e1324379e865588f78aba

SHA512
0bf3db3360811617c98afa249ec70de51f256745d68770b727a953db5ef82892d71adcc75da288f018ad2e9bade2720d0370fe6875fbe7e642e1abc149f82a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1375193.exe

Filesize
969KB

MD5
a612da1a6d3760c2cca90b6cfc4094be

SHA1
df9ad6a702d0f8a2851fec0fd2a1a39a14afd469

SHA256
82445da477a7173e190bfe07e54452bf6708b9ccc69e1324379e865588f78aba

SHA512
0bf3db3360811617c98afa249ec70de51f256745d68770b727a953db5ef82892d71adcc75da288f018ad2e9bade2720d0370fe6875fbe7e642e1abc149f82a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9344938.exe

Filesize
787KB

MD5
c7c1c9b4c87b8bcc79b97b4f24f6a3ac

SHA1
616fd064493ab03e116f53e3c4d0aeeceafae024

SHA256
9b08c4edba863c4db7216ed8fd357b8084c66d7b9d8ee67156273ff795926bce

SHA512
d8dac02339d740737130850e629dc8af3e3606f3462ecc41034ae7426f150b7f240b3c7907f0cb9486e1e115291cb8153e9ab0b0ec2eb9a75ceeb35170e37a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9344938.exe

Filesize
787KB

MD5
c7c1c9b4c87b8bcc79b97b4f24f6a3ac

SHA1
616fd064493ab03e116f53e3c4d0aeeceafae024

SHA256
9b08c4edba863c4db7216ed8fd357b8084c66d7b9d8ee67156273ff795926bce

SHA512
d8dac02339d740737130850e629dc8af3e3606f3462ecc41034ae7426f150b7f240b3c7907f0cb9486e1e115291cb8153e9ab0b0ec2eb9a75ceeb35170e37a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1057820.exe

Filesize
603KB

MD5
30f4260a25c2dcc4049fb7a7b9b04097

SHA1
7a5831fc5034a3b1d7e48d525f5369e9dc91045e

SHA256
ffc385e988244a7d85b5ea21184f34585c34ee5ac4043a58c8e86821b84213b0

SHA512
246f6a0d811dc1b5604aafa1327402c5b2172ea698d678170469a6b4d09f2d38b7953c32002f2349bbe7da7249fc8d3008188a2a3115974590acf0b82573cb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1057820.exe

Filesize
603KB

MD5
30f4260a25c2dcc4049fb7a7b9b04097

SHA1
7a5831fc5034a3b1d7e48d525f5369e9dc91045e

SHA256
ffc385e988244a7d85b5ea21184f34585c34ee5ac4043a58c8e86821b84213b0

SHA512
246f6a0d811dc1b5604aafa1327402c5b2172ea698d678170469a6b4d09f2d38b7953c32002f2349bbe7da7249fc8d3008188a2a3115974590acf0b82573cb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2177828.exe

Filesize
344KB

MD5
394fa4481a83b02a2d9ae62e0462df7a

SHA1
aab88adc4da1929b1c242d920f53cf0ba731dbc6

SHA256
bd13fd729c02445a4a4879eab0601b3c74c2e9b6a3b4f846d34fce0dd32d4d73

SHA512
81b4ead53b7bc4b7fa1d91d7f2e934dd530c06329090ba4e2ff837399f14b55c9b77ccdc4cf92addeb73adabcca4cb1fface8837de3bbf930400ca7a0f51d00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2177828.exe

Filesize
344KB

MD5
394fa4481a83b02a2d9ae62e0462df7a

SHA1
aab88adc4da1929b1c242d920f53cf0ba731dbc6

SHA256
bd13fd729c02445a4a4879eab0601b3c74c2e9b6a3b4f846d34fce0dd32d4d73

SHA512
81b4ead53b7bc4b7fa1d91d7f2e934dd530c06329090ba4e2ff837399f14b55c9b77ccdc4cf92addeb73adabcca4cb1fface8837de3bbf930400ca7a0f51d00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9361826.exe

Filesize
220KB

MD5
2c125b52a4812d647ad1f5479d360e2a

SHA1
d8d552721a547a63f0f45fafa738d6bfcbf4cfc3

SHA256
68b299c7c21cfa5c3d2093667e71dc0132dbaf013aa2ba272872cae14573a111

SHA512
2b634bfe4af19b127fad1f9ceb894027d72f818c606934caaf0b97ce62e508bfba6dc975d4a6c869ef2004403944f67a1c9f6bbfc0f4bb0be64d65d6e2c87e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9361826.exe

Filesize
220KB

MD5
2c125b52a4812d647ad1f5479d360e2a

SHA1
d8d552721a547a63f0f45fafa738d6bfcbf4cfc3

SHA256
68b299c7c21cfa5c3d2093667e71dc0132dbaf013aa2ba272872cae14573a111

SHA512
2b634bfe4af19b127fad1f9ceb894027d72f818c606934caaf0b97ce62e508bfba6dc975d4a6c869ef2004403944f67a1c9f6bbfc0f4bb0be64d65d6e2c87e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8445189.exe

Filesize
364KB

MD5
7a45b8e28deafbff84a5e2d896fb9918

SHA1
6d7f8d9214249c127cf66e2a97ff9caf02171d19

SHA256
904e8092cef11f4eb325eb782298f31094b23d511c090e27156b50dff9b38af8

SHA512
b0de63fe9bf759b064570d8a880d1757d0193434b6188832db70e8c724f1fb3942b3a82c59231ab11589f016bda06840a8c21c0263bd841671e2dff5009ac293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8445189.exe

Filesize
364KB

MD5
7a45b8e28deafbff84a5e2d896fb9918

SHA1
6d7f8d9214249c127cf66e2a97ff9caf02171d19

SHA256
904e8092cef11f4eb325eb782298f31094b23d511c090e27156b50dff9b38af8

SHA512
b0de63fe9bf759b064570d8a880d1757d0193434b6188832db70e8c724f1fb3942b3a82c59231ab11589f016bda06840a8c21c0263bd841671e2dff5009ac293

Download Submit
memory/876-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/876-36-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/876-37-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/876-39-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download