healer | c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0d

General

Target

c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
Size

295KB
MD5

02a8d30e926df56a9cb8a5858dc3dd30
SHA1

cd379b7a853f2c538a62b3af6ec27b11fb9f952e
SHA256

c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0d
SHA512

9450782815243b353dd4989064f86b2ea07c8f42df8f28917a020605ce8d1bb64113daf6b8897436d8f1393ae1b74f48f4b525476a30760c509f407104bac0e6
SSDEEP

3072:SZ7HjoCTZXT3uq7AmjWCXeZeHhVURa7sMc+Z+pBAkKtrrmJ4DQENIv8kc8+c0bJf:iFdruq7om2a7sHlWtrHDQGIv8kc8ex

Score

10^/10

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2596-4-0x0000000004660000-0x000000000467A000-memory.dmp	healer
behavioral1/memory/2596-5-0x0000000004680000-0x0000000004698000-memory.dmp	healer
behavioral1/memory/2596-33-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-31-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-29-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-27-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-25-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-23-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-21-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-19-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-17-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-15-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-13-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-11-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-9-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-7-0x0000000004680000-0x0000000004692000-memory.dmp	healer
behavioral1/memory/2596-6-0x0000000004680000-0x0000000004692000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2596	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
2596	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe

C:\Users\Admin\AppData\Local\Temp\c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe
"C:\Users\Admin\AppData\Local\Temp\c80a7c9f711f25d6618ba385dde2515313acfe1b573bec067b0cc8a5f0453f0dN.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-1-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2596-2-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2596-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2596-4-0x0000000004660000-0x000000000467A000-memory.dmp

Filesize
104KB

Download
memory/2596-5-0x0000000004680000-0x0000000004698000-memory.dmp

Filesize
96KB

Download
memory/2596-33-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-31-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-29-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-27-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-25-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-23-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-21-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-19-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-17-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-15-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-13-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-11-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-9-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-7-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-6-0x0000000004680000-0x0000000004692000-memory.dmp

Filesize
72KB

Download
memory/2596-34-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/2596-35-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2596-37-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2596-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2596-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2596-41-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads