healer | e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed

Analysis

max time kernel
0s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 13:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe
Size

389KB
MD5

2eeefdf643f78c415d5773e6839837b2
SHA1

797a0d8433f1b575915a9cb2952795535fb3546d
SHA256

ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394
SHA512

96c66dfb44902289d99a122c9e8b2804a236e61351e81ad56f5406fd935a2c5e65fac58da2bb8dd8f2738e5d7e1251128413b5247a1cfc421e1b5dc6c960272f
SSDEEP

6144:K8y+bnr+9p0yN90QEA748JHJlPx2r5z3HVK9ehKCCB2GTNXeD3zsvHclk:QMrty90mM8VJluVSaKCCEUXau

Score

10^/10

healer dropper persistence

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe	healer
behavioral16/memory/3412-15-0x0000000000840000-0x000000000084A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Executes dropped EXE 2 IoCs

Processes:

z2882788.exep8565578.exe

pid process

3280 z2882788.exe
3412 p8565578.exe

pid	process
3280	z2882788.exe
3412	p8565578.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exez2882788.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2882788.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exez2882788.exe

description	pid	process	target process
PID 4964 wrote to memory of 3280	4964	ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe	z2882788.exe
PID 4964 wrote to memory of 3280	4964	ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe	z2882788.exe
PID 4964 wrote to memory of 3280	4964	ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe	z2882788.exe
PID 3280 wrote to memory of 3412	3280	z2882788.exe	p8565578.exe
PID 3280 wrote to memory of 3412	3280	z2882788.exe	p8565578.exe

C:\Users\Admin\AppData\Local\Temp\ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe
"C:\Users\Admin\AppData\Local\Temp\ccc5c313f416465ffc57b4343c6e512d0568f618620aaa7b258b5d5721aaf394.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe
3⤵
- Executes dropped EXE
PID:3412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2882788.exe
Filesize
206KB

MD5
6de9a950d4a4b7c0332b45a5bd235d01

SHA1
841af90b26f4db62c4b8f90e28338191a6a7f828

SHA256
3259015332b3c7d28f60d87021ad2c8774ee8fecdf700f3955e15f54889187a7

SHA512
5020589a686c79d44bd60222e57d114a395b06e9d2a57d29097c2666ec76a8312558593415f55017d066964c49abe9a45ebd738d761666d1b0d93f1bb1e6ba3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8565578.exe
Filesize
14KB

MD5
96a788f0a5be814e86485a5a69530a9f

SHA1
2d3e089f1d1e6bcd963d905e4562b3f463795d85

SHA256
49cb26c4643b21f4e6b5ac16f17256db971437aa4ad718cf747ffe01449a8e34

SHA512
d2f13b86e881b2663e32b77cdc3323c971a42737295766ad575bad1fbc21bf8e7c358e87145acbd092dace56b56c7c76203580b4cdf91afb0346b22cb00ecc0f

Download Submit
memory/3412-14-0x00007FF84F1C3000-0x00007FF84F1C5000-memory.dmp

Filesize
8KB

Download
memory/3412-15-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads