healer | 2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c

Analysis

max time kernel
185s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe
Size

1.3MB
MD5

b06f77d6b8b16816481d0991540f623c
SHA1

090fa8432f22955781fe9eddec1b3337c080a074
SHA256

2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c
SHA512

e2042f7473d6b5f0c60490135364e437abfcb17a53536b9cb40c4bcf97e7dc4c7d1fd6b624f3caf681ad22016e5bb0f1307151192c57f123d60cb02839483a14
SSDEEP

24576:TySwGbS6wmVr8EJ7cshwka69L+vzU4D04M3GhV0yzePfqyKYiESk/coWcN5Gay7n:mRGbS6w6rDJ7csh1L+vzh0rWeE0/FWcy

Score

10^/10

healer dropper evasion persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000800000002320d-33.dat	healer
behavioral2/files/0x000800000002320d-34.dat	healer
behavioral2/memory/1372-35-0x0000000000E70000-0x0000000000E7A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q4653566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q4653566.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q4653566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q4653566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q4653566.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q4653566.exe

Executes dropped EXE 6 IoCs

pid	Process
3484	z4551336.exe
4280	z0878074.exe
3124	z9818545.exe
1524	z3178158.exe
1372	q4653566.exe
4432	r8841159.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q4653566.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9818545.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z3178158.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4551336.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0878074.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4432 set thread context of 1968	4432	r8841159.exe	98

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3552	1968	WerFault.exe	98
4568	4432	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1372	q4653566.exe
1372	q4653566.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	q4653566.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3484	3212	2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe	89
PID 3212 wrote to memory of 3484	3212	2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe	89
PID 3212 wrote to memory of 3484	3212	2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe	89
PID 3484 wrote to memory of 4280	3484	z4551336.exe	90
PID 3484 wrote to memory of 4280	3484	z4551336.exe	90
PID 3484 wrote to memory of 4280	3484	z4551336.exe	90
PID 4280 wrote to memory of 3124	4280	z0878074.exe	91
PID 4280 wrote to memory of 3124	4280	z0878074.exe	91
PID 4280 wrote to memory of 3124	4280	z0878074.exe	91
PID 3124 wrote to memory of 1524	3124	z9818545.exe	92
PID 3124 wrote to memory of 1524	3124	z9818545.exe	92
PID 3124 wrote to memory of 1524	3124	z9818545.exe	92
PID 1524 wrote to memory of 1372	1524	z3178158.exe	93
PID 1524 wrote to memory of 1372	1524	z3178158.exe	93
PID 1524 wrote to memory of 4432	1524	z3178158.exe	96
PID 1524 wrote to memory of 4432	1524	z3178158.exe	96
PID 1524 wrote to memory of 4432	1524	z3178158.exe	96
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98
PID 4432 wrote to memory of 1968	4432	r8841159.exe	98

C:\Users\Admin\AppData\Local\Temp\2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe
"C:\Users\Admin\AppData\Local\Temp\2f8ebf3780fa620a5e0e70147ac07fb96250ce99c638b16376d84942997ca78c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4551336.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4551336.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0878074.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0878074.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9818545.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9818545.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3178158.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3178158.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4653566.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4653566.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8841159.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8841159.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 540
        8⤵
        Program crash
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 556
        7⤵
        Program crash
        
        PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4432 -ip 4432
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1968 -ip 1968
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4551336.exe

Filesize
1.2MB

MD5
541a1bbac97ec4e491c96000841174ea

SHA1
916df57ef703f05b7a68ff2ecad279232208da63

SHA256
700f26699a10f3ed8c2b7b24ed8062349cc10f3ca40ab1c1de9c01f7b41ce385

SHA512
7364900a640af84ba1142e2538891e1b1b5997a41bc08aa032c42b24b3e39405ab68e43a58d150b79b7b646cad4ece68b20208318ca4adc2cd9c7b233d14477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4551336.exe

Filesize
1.2MB

MD5
541a1bbac97ec4e491c96000841174ea

SHA1
916df57ef703f05b7a68ff2ecad279232208da63

SHA256
700f26699a10f3ed8c2b7b24ed8062349cc10f3ca40ab1c1de9c01f7b41ce385

SHA512
7364900a640af84ba1142e2538891e1b1b5997a41bc08aa032c42b24b3e39405ab68e43a58d150b79b7b646cad4ece68b20208318ca4adc2cd9c7b233d14477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0878074.exe

Filesize
1.0MB

MD5
c332c06d99f30269f9874528dc57ee1f

SHA1
2513ae94f49d3a6e346db2d12317ce75b1fd55d7

SHA256
93fe314e3f4bb292bbd8d383f38b23ff5e51501b06e0706c0234f47e83588001

SHA512
81e81617440ea34147364d23e7b42cd6f70e0ab18648aba0344f2c7b2c853fbae1a91da1c44db08f0403462a9c24ffafb22dee070e662367fff5cb7d550bc644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0878074.exe

Filesize
1.0MB

MD5
c332c06d99f30269f9874528dc57ee1f

SHA1
2513ae94f49d3a6e346db2d12317ce75b1fd55d7

SHA256
93fe314e3f4bb292bbd8d383f38b23ff5e51501b06e0706c0234f47e83588001

SHA512
81e81617440ea34147364d23e7b42cd6f70e0ab18648aba0344f2c7b2c853fbae1a91da1c44db08f0403462a9c24ffafb22dee070e662367fff5cb7d550bc644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9818545.exe

Filesize
867KB

MD5
3925d09b204ed85fd573247f3303aec7

SHA1
ab863d572076367054d48f9c559a34e6f1f80c3a

SHA256
a2284d9c754b86cb134ebdcf232ae756565f8a0aea20a194e64fc1ca2aa8c298

SHA512
65e95965f32c3c304c98aa3d66dd892ec8899afa8cd686a64cb54676a36e0698ea3daf976a0b547a6dc01a37345dfe1ba7c830f2b55dc2f3b31ee980e0eb152d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9818545.exe

Filesize
867KB

MD5
3925d09b204ed85fd573247f3303aec7

SHA1
ab863d572076367054d48f9c559a34e6f1f80c3a

SHA256
a2284d9c754b86cb134ebdcf232ae756565f8a0aea20a194e64fc1ca2aa8c298

SHA512
65e95965f32c3c304c98aa3d66dd892ec8899afa8cd686a64cb54676a36e0698ea3daf976a0b547a6dc01a37345dfe1ba7c830f2b55dc2f3b31ee980e0eb152d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3178158.exe

Filesize
475KB

MD5
316860325c869f24299aca89847677e2

SHA1
5a7682e6744c6989bf5719db88737fef0771371a

SHA256
6ad8edc32da150da196291673f393ca924f6c57bf13d279048a224997fee9fe0

SHA512
634c492fd97ea092260b5d245c41384b6e085f4705dfc9324ecd864c94a415e4a973eea4b963b8c1de5e47d06bf691f9e7b40d3fbd6b5da067244d1457277abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3178158.exe

Filesize
475KB

MD5
316860325c869f24299aca89847677e2

SHA1
5a7682e6744c6989bf5719db88737fef0771371a

SHA256
6ad8edc32da150da196291673f393ca924f6c57bf13d279048a224997fee9fe0

SHA512
634c492fd97ea092260b5d245c41384b6e085f4705dfc9324ecd864c94a415e4a973eea4b963b8c1de5e47d06bf691f9e7b40d3fbd6b5da067244d1457277abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4653566.exe

Filesize
11KB

MD5
4e2ef60c1ce12a20cf1eff8bd3f99eae

SHA1
885bef7273c99596c612e7df9ea819344a0ff4a3

SHA256
1046e0916c085985b3e329a7d6e0df27e9b2a317fdf64ab3d773ae1de63aaf76

SHA512
daf29bb8658b2395eac9ebc1c6baadc9931b49668b59c65ad16baa913b0fbe6575bda6d0342b97c9b84c9a0daf7b698a9d7138fca92314d2d617b35a1f4a015e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4653566.exe

Filesize
11KB

MD5
4e2ef60c1ce12a20cf1eff8bd3f99eae

SHA1
885bef7273c99596c612e7df9ea819344a0ff4a3

SHA256
1046e0916c085985b3e329a7d6e0df27e9b2a317fdf64ab3d773ae1de63aaf76

SHA512
daf29bb8658b2395eac9ebc1c6baadc9931b49668b59c65ad16baa913b0fbe6575bda6d0342b97c9b84c9a0daf7b698a9d7138fca92314d2d617b35a1f4a015e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8841159.exe

Filesize
1.0MB

MD5
867ee5cb226a9cad45c6213ae7641d7f

SHA1
8f868609370252b9956f2198436002b8de5decd0

SHA256
9fb58a45cacb846a7aa65dde1e739adfc3aa5909069ddf2d84b9096724c75aab

SHA512
365ec1d78dcf864cb202490033370116b6c1b36d28d7ef3f6116dd3de63945a8d37434600621bd9d5fdaf20dc08e03287460ecd04ddceff244a6be49b70c4d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8841159.exe

Filesize
1.0MB

MD5
867ee5cb226a9cad45c6213ae7641d7f

SHA1
8f868609370252b9956f2198436002b8de5decd0

SHA256
9fb58a45cacb846a7aa65dde1e739adfc3aa5909069ddf2d84b9096724c75aab

SHA512
365ec1d78dcf864cb202490033370116b6c1b36d28d7ef3f6116dd3de63945a8d37434600621bd9d5fdaf20dc08e03287460ecd04ddceff244a6be49b70c4d18

Download Submit
memory/1372-37-0x00007FFA8D190000-0x00007FFA8DC51000-memory.dmp

Filesize
10.8MB

Download
memory/1372-39-0x00007FFA8D190000-0x00007FFA8DC51000-memory.dmp

Filesize
10.8MB

Download
memory/1372-36-0x00007FFA8D190000-0x00007FFA8DC51000-memory.dmp

Filesize
10.8MB

Download
memory/1372-35-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/1968-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download