0

Recently we were alerted by an incident on Microsoft Defender titled "Multi-stage incident involving Execution & Discovery on one endpoint" and amongst the commands that ran was a suspcious tool "Healthy.exe"

These are some of the reported commands:

Healthy.exe --type=crashpad-handler "--user-data-dir=C:\Users\DG\AppData\Local\Healthy\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\DG\AppData\Local\Healthy\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\DG\AppData\Local\Healthy\User Data\Crashpad" "--metrics-dir=C:\Users\DG\AppData\Local\Healthy\User Data" --annotation=plat=Win64 --annotation=prod=Healthy --annotation=ver=0.0.2 --initial-client-data=0x25c,0x260,0x264,0x258,0x268,0x7ffac8359ec0,0x7ffac8359ed0,0x7ffac8359ee0

"Healthy.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,13707566958700461977,3626767176628270657,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\DG\AppData\Local\Healthy\User Data" --nwapp-path="C:\Users\DG~1\AppData\Local\Temp\nw12476_1097854171" --mojo-platform-channel-handle=3616 /prefetch:8

The only results I get when searching about it are about "Health exe", which i dont think are the same?

Healthy exe search results

The user ran an AV scan which reported no maliciousness so not sure if this is still worrisome or not.

Here are some screenshots from that path specified in the commands:

healthy folder

virus total analysis:

enter image description here

Cataster
  • 111
  • 5
  • 1
    Can you send it to virustotal.com ? – Tetsujin Jul 15 '22 at 17:22
  • More than likely it is if flagged by defender. – Moab Jul 15 '22 at 17:24
  • @Tetsujin I searched for it on there but no results were found. Also, i uploaded screenshots from the folder path – Cataster Jul 15 '22 at 17:24
  • We cannot really guess whether any give file is malicious or not and as suggested by Tetsujin the best possibility is VirusTotal. If you wish to get better results from search engines then you should use quotation marks around the items you require: https://www.google.com/search?client=firefox-b-d&q=%22Healthy.exe%22 – Mokubai Jul 15 '22 at 17:24
  • https://www.google.com/search?q=%22Healthy.exe%22+malware also gives some possibilities but the only real thing you can do is sacrifice some machines to find out yourself. – Mokubai Jul 15 '22 at 17:27
  • 1
    file names are purely arbitrary, so you will have to actually upload the file to virustotal, not just search their site for submissions for a file with the same name. you won't be able to find anything trustworthy by just searching by filename. – Frank Thomas Jul 15 '22 at 17:27
  • The command line params make me think it is a Petya ransomware variant. You would need to send if to virustotal.com as @Tetsujin suggested to get confirmation. – UnhandledExcepSean Jul 15 '22 at 17:29
  • @Mokubai even if i have available machines for testing I dont even know how the user got this on his machine to reproduce. at same time i dont wanna keep bugging him to feel he's being accused. gosh this is hard...:[ – Cataster Jul 15 '22 at 17:31
  • @FrankThomas ok will do! Thanks! – Cataster Jul 15 '22 at 17:32
  • @UnhandledExcepSean interesting, hopefully not. Ive been trying to strike a balanced approach to this alert for a week, its not been easy with this ambiguity. I asked the user nicely and he told me he just downloaded a wallpaper image which he now deleted. He thinks it was .jpeg, not html/js, but i cant verify that now that its deleted :/ so i cant tell how this healthy.exe was installed on his machine if the image truly wasnt javascript, if it even was just an image he downloaded – Cataster Jul 15 '22 at 17:34
  • 3
    If you cannot even *check* the machine as having a potential threat on it then you've already lost. Just tell the person that there is something wrong, do not apportion blame, do not tell them they did something, just do what you need to do to make sure the machine is safe to use. If it is malware then god alone only knows what it can do while you let the user keep the machine on your network. If the user did it themselves then your investigation, not initial guesses should provide the evidence. – Mokubai Jul 15 '22 at 17:34
  • @Mokubai ya im starting to think this is it for the investigation. I asked the user nicely and he told me he just downloaded a wallpaper image which he now deleted. He thinks it was .jpeg, not html/js, but i cant verify that now that its deleted :/ so i cant tell how this healthy.exe was installed on his machine if the image truly wasnt javascript, if it even was just an image he downloaded. At the very least his AV scan returned clean results so i guess its fine to keep on the network – Cataster Jul 15 '22 at 17:37
  • 1
    Was it wallpaper.jpg.exe? :) If I suspect a machine was infected, it gets wiped and reloaded. Nuke it from orbit. /It's the only way to be sure – UnhandledExcepSean Jul 15 '22 at 17:39
  • @UnhandledExcepSean `Nuke it from orbit.` thats my eradication plan in the report LOL – Cataster Jul 15 '22 at 17:42
  • The beginning parts of the command lines definitely suggest that whatever they did was trying to use some chrome-like or chrome-impersonating software drop: https://www.google.com/search?q=Chrome+--type%253Dutility+--utility-sub-type%253Dchrome.mojom.UtilWin as well as https://www.joesandbox.com/analysis/291810/0/html showing a lot of similar commands suggests a browser based drop kit that may have been trying to mask itself by copying "chrome.exe" to "healthy.exe". The only way to know for sure whether you can trust the computer (and the user) is by taking it away and doing real analysis. – Mokubai Jul 15 '22 at 18:54
  • @Mokubai very interesting. the user uploaded the `healthy.exe` app to virustotal and this was the result: `16 security vendors and no sandboxes flagged this file as malicious`. I uploaded a screenshot as well – Cataster Jul 15 '22 at 19:11
  • The it could well have just been a masked Chrome with some script or something to download a payload. The only way to know is to quarantine the machine and find out what ***exactly*** they downloaded and from where. – Mokubai Jul 15 '22 at 19:23
  • @Mokubai is there a way to find out that form defender portal? or we have to actually have the user ship over the device and analyze it? – Cataster Jul 15 '22 at 19:24

0 Answers0