healer | c82fe254e8cfb54a0b412db6a1150ac6952e3f9beb73fde881529bd737581d3a

Analysis

max time kernel
216s
max time network
241s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82fe254e8cfb54a0b412db6a1150ac6952e3f9beb73fde881529bd737581d3a.exe
Size

1.0MB
MD5

d458ad458abc415304fd2c142d7f4745
SHA1

6acfc584e7f647685db6a1d167c1a68b5d7d1a0b
SHA256

c82fe254e8cfb54a0b412db6a1150ac6952e3f9beb73fde881529bd737581d3a
SHA512

3e91ac67520164034976dbc4c516d0a10eed6f70f8aa4f5766b97c5a4dbb3f4136f1b3454dcb78fc3e72d06bae601d8facd35d25ad2b39545482c93438fa573f
SSDEEP

24576:byB7LsVeg07T5RZzVgOoLuzdj6nEmSJBoCWI:OB3Wd0vXrAO2nEmWBoC

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231d7-33.dat	healer
behavioral2/files/0x00070000000231d7-34.dat	healer
behavioral2/memory/4120-35-0x0000000000D80000-0x0000000000D8A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6974817.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6974817.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6974817.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6974817.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6974817.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q6974817.exe

Executes dropped EXE 7 IoCs

pid	Process
964	z7433478.exe
3356	z7097406.exe
4648	z9918756.exe
1556	z6079066.exe
4120	q6974817.exe
1748	r3415629.exe
676	s9758465.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6974817.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c82fe254e8cfb54a0b412db6a1150ac6952e3f9beb73fde881529bd737581d3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7433478.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7097406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9918756.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6079066.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 1516	1748	r3415629.exe	97

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5028	1516	WerFault.exe	97
2536	1516	WerFault.exe	97
2028	1748	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4120	q6974817.exe
4120	q6974817.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	q6974817.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 964	4428	c82fe254e8cfb54a0b412db6a1150ac6952e3f9beb73fde881529bd737581d3a.exe	87
PID 4428 wrote to memory of 964	4428	c82fe254e8cfb54a0b412db6a1150ac6952e3f9beb73fde881529bd737581d3a.exe	87
PID 4428 wrote to memory of 964	4428	c82fe254e8cfb54a0b412db6a1150ac6952e3f9beb73fde881529bd737581d3a.exe	87
PID 964 wrote to memory of 3356	964	z7433478.exe	88
PID 964 wrote to memory of 3356	964	z7433478.exe	88
PID 964 wrote to memory of 3356	964	z7433478.exe	88
PID 3356 wrote to memory of 4648	3356	z7097406.exe	89
PID 3356 wrote to memory of 4648	3356	z7097406.exe	89
PID 3356 wrote to memory of 4648	3356	z7097406.exe	89
PID 4648 wrote to memory of 1556	4648	z9918756.exe	90
PID 4648 wrote to memory of 1556	4648	z9918756.exe	90
PID 4648 wrote to memory of 1556	4648	z9918756.exe	90
PID 1556 wrote to memory of 4120	1556	z6079066.exe	93
PID 1556 wrote to memory of 4120	1556	z6079066.exe	93
PID 1556 wrote to memory of 1748	1556	z6079066.exe	96
PID 1556 wrote to memory of 1748	1556	z6079066.exe	96
PID 1556 wrote to memory of 1748	1556	z6079066.exe	96
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1748 wrote to memory of 1516	1748	r3415629.exe	97
PID 1516 wrote to memory of 5028	1516	AppLaunch.exe	101
PID 1516 wrote to memory of 5028	1516	AppLaunch.exe	101
PID 1516 wrote to memory of 5028	1516	AppLaunch.exe	101
PID 4648 wrote to memory of 676	4648	z9918756.exe	107
PID 4648 wrote to memory of 676	4648	z9918756.exe	107
PID 4648 wrote to memory of 676	4648	z9918756.exe	107

C:\Users\Admin\AppData\Local\Temp\c82fe254e8cfb54a0b412db6a1150ac6952e3f9beb73fde881529bd737581d3a.exe
"C:\Users\Admin\AppData\Local\Temp\c82fe254e8cfb54a0b412db6a1150ac6952e3f9beb73fde881529bd737581d3a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7433478.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7433478.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7097406.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7097406.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9918756.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9918756.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6079066.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6079066.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6974817.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6974817.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3415629.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3415629.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 540
        8⤵
        Program crash
        
        PID:5028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 540
        8⤵
        Program crash
        
        PID:2536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 552
        7⤵
        Program crash
        
        PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9758465.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9758465.exe
        5⤵
        Executes dropped EXE
        
        PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1516 -ip 1516
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1748 -ip 1748
1⤵
PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7433478.exe

Filesize
969KB

MD5
78baa7a42ee7ceac6f2c08d4184cd5fe

SHA1
fb7ecc79b1f22251ad0da4754824f570b413459e

SHA256
86e58acbec86b0c2ddd027a3e7e3e9e892f733c75779427c8e670a52e483cb4f

SHA512
0834a14f99635ee41cd7a7919dbcbbdd8427863ca323bd572c1fcf08f0e8e7a6d6f48a57d0861181e8a5afee90b9c950d137210785121b95bf6a4103ca10a480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7433478.exe

Filesize
969KB

MD5
78baa7a42ee7ceac6f2c08d4184cd5fe

SHA1
fb7ecc79b1f22251ad0da4754824f570b413459e

SHA256
86e58acbec86b0c2ddd027a3e7e3e9e892f733c75779427c8e670a52e483cb4f

SHA512
0834a14f99635ee41cd7a7919dbcbbdd8427863ca323bd572c1fcf08f0e8e7a6d6f48a57d0861181e8a5afee90b9c950d137210785121b95bf6a4103ca10a480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7097406.exe

Filesize
787KB

MD5
bfd2c36ec597471d08a0b177693e169b

SHA1
761d13db837884999939711519bc686e8713d4e7

SHA256
ca57db586b21557bdf43d0ebab2f5cd57031cf3e62465b55f81501cd36b75ef0

SHA512
f0f026c215dcc7a670a35c060c1c1d490bd820cafde97a7fd5a6114da18bc5f364a7bbd398436ea8c62ffbe9609ec0a7ea1dadc6eb0c24c87a8e941825b42d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7097406.exe

Filesize
787KB

MD5
bfd2c36ec597471d08a0b177693e169b

SHA1
761d13db837884999939711519bc686e8713d4e7

SHA256
ca57db586b21557bdf43d0ebab2f5cd57031cf3e62465b55f81501cd36b75ef0

SHA512
f0f026c215dcc7a670a35c060c1c1d490bd820cafde97a7fd5a6114da18bc5f364a7bbd398436ea8c62ffbe9609ec0a7ea1dadc6eb0c24c87a8e941825b42d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9918756.exe

Filesize
604KB

MD5
eb7f5142ac49f5c874d6ad0cd2e9419c

SHA1
8748e1fcc89a33245c764990da0ec21046af86a4

SHA256
bb23875ac2c644d848765a1c500aa2e68bfb4900b41517329e2ef4a57b193478

SHA512
690e685cd412ca953791dd5494ad037088f0670e7f25e84f7dad666f167163db5b80f0ba5be9132c1961252b44616cf55949e46549161d9c44a5175e213d79fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9918756.exe

Filesize
604KB

MD5
eb7f5142ac49f5c874d6ad0cd2e9419c

SHA1
8748e1fcc89a33245c764990da0ec21046af86a4

SHA256
bb23875ac2c644d848765a1c500aa2e68bfb4900b41517329e2ef4a57b193478

SHA512
690e685cd412ca953791dd5494ad037088f0670e7f25e84f7dad666f167163db5b80f0ba5be9132c1961252b44616cf55949e46549161d9c44a5175e213d79fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9758465.exe

Filesize
384KB

MD5
e24075c167cafae6b36571decb49ca0b

SHA1
549bea7254668d061d68ff001ed4134e424c3e52

SHA256
6d8c8e3254fd5d1d3f57a5bd4f12285c7976802fcadc1bdd4fa16b0e57297815

SHA512
68ce14dbf782d37398118574891030763d60ca5240730f9aeeddf5f954f8c65951e4d69b792e9c0aee60a5086c7a743f27f5602581762145c078825abe2f7a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9758465.exe

Filesize
384KB

MD5
e24075c167cafae6b36571decb49ca0b

SHA1
549bea7254668d061d68ff001ed4134e424c3e52

SHA256
6d8c8e3254fd5d1d3f57a5bd4f12285c7976802fcadc1bdd4fa16b0e57297815

SHA512
68ce14dbf782d37398118574891030763d60ca5240730f9aeeddf5f954f8c65951e4d69b792e9c0aee60a5086c7a743f27f5602581762145c078825abe2f7a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6079066.exe

Filesize
339KB

MD5
2d2ce8609a052abe9acaea62aa272644

SHA1
ea9c64e6d8cafc996ac931bfb676d6acbd72c39c

SHA256
7244ad9bca504f7a4726ec37acd6f97f49b59a922f08e13745cb9aeed9860eb5

SHA512
36c5d35d542eb85592d4e6a8c4fc6f923019e17b76e921258fd47e79f791da14dc78a361ad25029591b5b73dc0a637c109003c4d992c99fe62898012e064480f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6079066.exe

Filesize
339KB

MD5
2d2ce8609a052abe9acaea62aa272644

SHA1
ea9c64e6d8cafc996ac931bfb676d6acbd72c39c

SHA256
7244ad9bca504f7a4726ec37acd6f97f49b59a922f08e13745cb9aeed9860eb5

SHA512
36c5d35d542eb85592d4e6a8c4fc6f923019e17b76e921258fd47e79f791da14dc78a361ad25029591b5b73dc0a637c109003c4d992c99fe62898012e064480f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6974817.exe

Filesize
12KB

MD5
bc6ac45639ad7fcb8cd2227ab91d8e9b

SHA1
ddd89bbff7d2138c5c091bc35ff22806b06e12f0

SHA256
bd3472f33d9d141843f74ab2bdb015b4348b1554ba0e0a697342cbda369edff4

SHA512
aa38564a0dd0825a18d91253c033a239d2cb7f6d2a47b666a12e63ec0c8f99fefe05e9183e04b9fbff197595a3b6666dfbb5fe1cc6dca21cdc99766c05c8adcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6974817.exe

Filesize
12KB

MD5
bc6ac45639ad7fcb8cd2227ab91d8e9b

SHA1
ddd89bbff7d2138c5c091bc35ff22806b06e12f0

SHA256
bd3472f33d9d141843f74ab2bdb015b4348b1554ba0e0a697342cbda369edff4

SHA512
aa38564a0dd0825a18d91253c033a239d2cb7f6d2a47b666a12e63ec0c8f99fefe05e9183e04b9fbff197595a3b6666dfbb5fe1cc6dca21cdc99766c05c8adcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3415629.exe

Filesize
365KB

MD5
7962538d0fdc7370356cc4ca7c154851

SHA1
f94497e3b3dfb6133c19a9c32fbe744d5f8edff1

SHA256
5d3df4e521f90880a59d1d53bccbb00c1f934d9f5ae4cb2ea241a001a39672bc

SHA512
a151ea40f08790cf2f0e80057b1d0967f0e9fcda1c3d5e4b2eb8855331cbd6b8bec14483158fd04907ff905113fcc4865b6037b49edd856c4db160c04fbe73c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3415629.exe

Filesize
365KB

MD5
7962538d0fdc7370356cc4ca7c154851

SHA1
f94497e3b3dfb6133c19a9c32fbe744d5f8edff1

SHA256
5d3df4e521f90880a59d1d53bccbb00c1f934d9f5ae4cb2ea241a001a39672bc

SHA512
a151ea40f08790cf2f0e80057b1d0967f0e9fcda1c3d5e4b2eb8855331cbd6b8bec14483158fd04907ff905113fcc4865b6037b49edd856c4db160c04fbe73c9

Download Submit
memory/1516-43-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1516-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1516-45-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1516-47-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4120-39-0x00007FFF72690000-0x00007FFF73151000-memory.dmp

Filesize
10.8MB

Download
memory/4120-37-0x00007FFF72690000-0x00007FFF73151000-memory.dmp

Filesize
10.8MB

Download
memory/4120-36-0x00007FFF72690000-0x00007FFF73151000-memory.dmp

Filesize
10.8MB

Download
memory/4120-35-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download