healer | e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1

General

Target

e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe
Size

176KB
MD5

576abebf526a42663e085fe6de8903c7
SHA1

d35c836896ec76504c45c30c37a5960fc75ae956
SHA256

e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1
SHA512

504ca39058929213a79a34023039f51d17e38ad38f3db715bb35b108949fa05623998583c091768f718537ddd0a1aaf23c25cfa2877c03facafcb1fb479d62ba
SSDEEP

3072:CDKW1LgppLRHMY0TBfJvjcTp5XfUy6hDwe:CDKW1Lgbdl0TBBvjc/sBD

Score

10^/10

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral2/memory/2204-1-0x00000000023C0000-0x00000000023DA000-memory.dmp	healer
behavioral2/memory/2204-4-0x0000000004990000-0x00000000049A8000-memory.dmp	healer
behavioral2/memory/2204-32-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-30-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-28-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-26-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-8-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-6-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-24-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-22-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-20-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-18-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-16-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-14-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-12-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-10-0x0000000004990000-0x00000000049A3000-memory.dmp	healer
behavioral2/memory/2204-5-0x0000000004990000-0x00000000049A3000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs

resource	yara_rule
behavioral2/memory/2204-1-0x00000000023C0000-0x00000000023DA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-4-0x0000000004990000-0x00000000049A8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-32-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-30-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-28-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-26-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-8-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-6-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-24-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-22-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-20-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-18-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-16-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-14-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-12-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-10-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral2/memory/2204-5-0x0000000004990000-0x00000000049A3000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe
2204	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe

C:\Users\Admin\AppData\Local\Temp\e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe
"C:\Users\Admin\AppData\Local\Temp\e9e2ae90ae67fc81bb7708d0245f72257130ae28bf5ca6b07f67ba65d0fd80d1.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x00000000023C0000-0x00000000023DA000-memory.dmp

Filesize
104KB

Download
memory/2204-2-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2204-3-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download
memory/2204-4-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/2204-32-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-30-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-28-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-26-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-33-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2204-8-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-6-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-24-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-22-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-20-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-18-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-16-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-14-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-12-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-10-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-5-0x0000000004990000-0x00000000049A3000-memory.dmp

Filesize
76KB

Download
memory/2204-34-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/2204-36-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads