healer | 7d410d6cb63e94a97e6688255ca56279bac5cacc70d37f91986f2235ce99ef8e

Analysis

max time kernel
0s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe
Size

235KB
MD5

ee5e79d00a13fde9e96a1f9953f35fea
SHA1

788be8b6304f138f5c7bdf00fe98562de6f2790d
SHA256

10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837
SHA512

26b1209bb16d6e5ed3dabe6fc18e6ec425197ecfd26f2038d9d796cff93d25597c774ca01fec5d975457ef7e544b9d7f7d09372e391c1823b4a7e3bcf94d0c49
SSDEEP

6144:KCy+bnr+0p0yN90QEdHyEL9MR1SKgfYLNYs1Ul8C2N:6Mrcy90zgoYLWs6l8V

Score

10^/10

healer dropper persistence

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral4/files/0x0009000000023410-5.dat	healer
behavioral4/memory/3688-7-0x0000000000D90000-0x0000000000D9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Executes dropped EXE 1 IoCs

pid	Process
3688	a6528505.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 3688	1508	10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe	82
PID 1508 wrote to memory of 3688	1508	10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe	82

C:\Users\Admin\AppData\Local\Temp\10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe
"C:\Users\Admin\AppData\Local\Temp\10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a6528505.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a6528505.exe
  2⤵
  - Executes dropped EXE
  PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a6528505.exe

Filesize
13KB

MD5
84bab76f53d09527ab0783ba2ece2e2e

SHA1
bfdc2db1addb613025d32d8a288fc7b70b8b22ee

SHA256
8f1eae62ef850d5a0a78054f853cbbe4c3b547bfc34ee890746405cee8bbfe95

SHA512
45f0fa0cf107c116e6bd6e8145cfa5580cc007c3755e5b290f5aede15e195c83e296b90d4a6bbbbd619dfdb98168569c2efe8f2e4c9c5a7083a849ed65c670c9

Download Submit
memory/3688-7-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/3688-8-0x00007FF9508B3000-0x00007FF9508B5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads