Malware Analysis Report

2025-08-11 02:10

Sample ID 231003-c2w98sfh2y
Target ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9
SHA256 ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9

Threat Level: Known bad

The file ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9 was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 02:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 02:34

Reported

2023-10-03 02:37

Platform

win10-20230915-en

Max time kernel

126s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2704 set thread context of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe
PID 4768 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe
PID 4768 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe
PID 1164 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe
PID 1164 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe
PID 1164 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe
PID 5112 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe
PID 5112 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe
PID 5112 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe
PID 4472 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe
PID 4472 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe
PID 4472 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe
PID 4472 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe
PID 4472 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe
PID 2704 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2704 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe

"C:\Users\Admin\AppData\Local\Temp\ae2e7968e9d135045969af3b12d83a29ff86931702e55070d5481a48703c34a9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe

MD5 b7aaf55af27d4a3c181ac18ee65a58bf
SHA1 7885d435cd40bb35c6b3ec4106d4025106ae5126
SHA256 8097e1e428c44aef4fafabbe421b2c1970eb2eb680e1d25100528f18e1927332
SHA512 7268b9b46ac0bd4b78c3e2ad11c01f46858d5272beeb8dcd01cbb434b3bed2c572931a7a56f40a3b0c7c2f83b805ecb561e30c285b9ac120d981875054f0652c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KR5rX80.exe

MD5 b7aaf55af27d4a3c181ac18ee65a58bf
SHA1 7885d435cd40bb35c6b3ec4106d4025106ae5126
SHA256 8097e1e428c44aef4fafabbe421b2c1970eb2eb680e1d25100528f18e1927332
SHA512 7268b9b46ac0bd4b78c3e2ad11c01f46858d5272beeb8dcd01cbb434b3bed2c572931a7a56f40a3b0c7c2f83b805ecb561e30c285b9ac120d981875054f0652c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe

MD5 4d44a2ba3feda8c26d63ae09ccde75aa
SHA1 a77dc164e9128e1e92047ed13eb984d59f4c723c
SHA256 dc5bb17b44268b9ddb288e0bf0fd0d9f9a43f08067d8bd1ba4762ddf7fbed4d5
SHA512 8289f4712737af707ea3d1e2baf94ce9496681eea2ed3f1de266d588b6ce06c5c8aba6e68e9d55091d4997e5cd2215a9aa8b87d44a0cf4d69fbc409618195326

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rg5QB67.exe

MD5 4d44a2ba3feda8c26d63ae09ccde75aa
SHA1 a77dc164e9128e1e92047ed13eb984d59f4c723c
SHA256 dc5bb17b44268b9ddb288e0bf0fd0d9f9a43f08067d8bd1ba4762ddf7fbed4d5
SHA512 8289f4712737af707ea3d1e2baf94ce9496681eea2ed3f1de266d588b6ce06c5c8aba6e68e9d55091d4997e5cd2215a9aa8b87d44a0cf4d69fbc409618195326

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe

MD5 e2b98d6f8c393cb6b0ee25d801a61d95
SHA1 877c429c5225231a7ff7f4c3f3dabf8df8b4d5b4
SHA256 9e1056499a931a07e17d4983723fe26c3c09191edd743ad9e3cec9777ce4492d
SHA512 ecd6aad8a9032fe3aa7bf5d8a618b4522ac5d797650c0c636e268a5e5d31e76bda9540731c34df7666c1faf831c925252defe07923a9b6217848448c1cb255fa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4GP13.exe

MD5 e2b98d6f8c393cb6b0ee25d801a61d95
SHA1 877c429c5225231a7ff7f4c3f3dabf8df8b4d5b4
SHA256 9e1056499a931a07e17d4983723fe26c3c09191edd743ad9e3cec9777ce4492d
SHA512 ecd6aad8a9032fe3aa7bf5d8a618b4522ac5d797650c0c636e268a5e5d31e76bda9540731c34df7666c1faf831c925252defe07923a9b6217848448c1cb255fa

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe

MD5 d93eab621ecd3f27091fe302a5491945
SHA1 2240ceaa448d7bc1aae00641cb9998a189deb872
SHA256 2442573c4b240c8ff33d508c571d6e82d32643893f64e078f419b49b18613ea7
SHA512 f8a3cf1d092520029a6dae181042c4104fd3785354c91f832d9612fa436651abb5933f8e142941d999b41b8adac5bbfeccd837508f6abd1449e7172ca9152816

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dh93jA1.exe

MD5 d93eab621ecd3f27091fe302a5491945
SHA1 2240ceaa448d7bc1aae00641cb9998a189deb872
SHA256 2442573c4b240c8ff33d508c571d6e82d32643893f64e078f419b49b18613ea7
SHA512 f8a3cf1d092520029a6dae181042c4104fd3785354c91f832d9612fa436651abb5933f8e142941d999b41b8adac5bbfeccd837508f6abd1449e7172ca9152816

memory/4100-28-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/4100-29-0x00007FFB6F190000-0x00007FFB6FB7C000-memory.dmp

memory/4100-31-0x00007FFB6F190000-0x00007FFB6FB7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe

MD5 192e97ba8aba31ccb719acf64cc6d0af
SHA1 68f86fe734182995edb61351ee44ee08f00d1f6a
SHA256 523fac9407dd3be6a16d97d2d587bfc94e40c3f208daced37dc40cd8cc088ad2
SHA512 01870f270dac29a3484a0a7b199da1decfe83a0c35a6a9c97ad38a8ec742839e375b153481bf4e0f07819e43c43e707aaa2edf2b70ea7a2a1138109d4327dbc1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2YN3973.exe

MD5 192e97ba8aba31ccb719acf64cc6d0af
SHA1 68f86fe734182995edb61351ee44ee08f00d1f6a
SHA256 523fac9407dd3be6a16d97d2d587bfc94e40c3f208daced37dc40cd8cc088ad2
SHA512 01870f270dac29a3484a0a7b199da1decfe83a0c35a6a9c97ad38a8ec742839e375b153481bf4e0f07819e43c43e707aaa2edf2b70ea7a2a1138109d4327dbc1

memory/224-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/224-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/224-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/224-41-0x0000000000400000-0x0000000000428000-memory.dmp