Malware Analysis Report

2025-08-11 02:10

Sample ID 231003-c63b2sfh6x
Target b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20
SHA256 b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20

Threat Level: Known bad

The file b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20 was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 02:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 02:42

Reported

2023-10-03 02:44

Platform

win10-20230915-en

Max time kernel

127s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2332 set thread context of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 332 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe
PID 332 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe
PID 332 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe
PID 200 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe
PID 200 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe
PID 200 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe
PID 764 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe
PID 764 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe
PID 764 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe
PID 2476 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe
PID 2476 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe
PID 2476 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe
PID 4164 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe
PID 4164 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe
PID 4164 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe
PID 4164 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe
PID 4164 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe

"C:\Users\Admin\AppData\Local\Temp\b85eb2e9c9196e577928ac5841912cb8e7a6c5e9394bd56becac426964d4ae20.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.f.f.f.7.d.6.8.a.b.1.b.c.7.8.f.f.f.f.f.7.d.6.8.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe

MD5 d067519496ac56226e4ca0a4a21adea2
SHA1 306093ba592ea835613fc4fe1bc02a68a1c82b89
SHA256 249b02bb16ea7fc59c3c112608ce7682402242f756ac6359484b641c405e7fb8
SHA512 ea4f346d18fa3b144263f20993ad2864fd838cd906ba4db8fe20f76c1619f143c2e8e73ce848b5e6f8d402526ea106be6afde5509f95bebead8588e08b3a3d39

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8452820.exe

MD5 d067519496ac56226e4ca0a4a21adea2
SHA1 306093ba592ea835613fc4fe1bc02a68a1c82b89
SHA256 249b02bb16ea7fc59c3c112608ce7682402242f756ac6359484b641c405e7fb8
SHA512 ea4f346d18fa3b144263f20993ad2864fd838cd906ba4db8fe20f76c1619f143c2e8e73ce848b5e6f8d402526ea106be6afde5509f95bebead8588e08b3a3d39

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe

MD5 05707e311c996caee4862edf9a797f55
SHA1 f76f2f346aea5f04b760b2ed787f660b507b8138
SHA256 fc31a6ce744069eaa11e12cf0cb695268580adc43d2892a4b3fe55208c4683ed
SHA512 ad8e68b28940358b849f214c7b94b112845af74c94ba717c70d9c7ddc71d17bad53af22e7f2f09dbf0a24e8e693fc62b317cdaca0f2ed24262cd4369e3f811c9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9812812.exe

MD5 05707e311c996caee4862edf9a797f55
SHA1 f76f2f346aea5f04b760b2ed787f660b507b8138
SHA256 fc31a6ce744069eaa11e12cf0cb695268580adc43d2892a4b3fe55208c4683ed
SHA512 ad8e68b28940358b849f214c7b94b112845af74c94ba717c70d9c7ddc71d17bad53af22e7f2f09dbf0a24e8e693fc62b317cdaca0f2ed24262cd4369e3f811c9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe

MD5 105bf4a316fb664e65b2e97ad6a5ecfd
SHA1 5c174d8a20a64fac0a9eadbef4b13bf69c35683e
SHA256 6a0b16bbf0a5d5a20005fd9253001e89a1fc4e5016e291f21096df7b09e72396
SHA512 a25bcab66e7ef758ead67a085a561169b090f38a211fba92304531b21e37ea783a8afe519b115481321870124fee450072ed635d6993397ef37bc76926f736e1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2452599.exe

MD5 105bf4a316fb664e65b2e97ad6a5ecfd
SHA1 5c174d8a20a64fac0a9eadbef4b13bf69c35683e
SHA256 6a0b16bbf0a5d5a20005fd9253001e89a1fc4e5016e291f21096df7b09e72396
SHA512 a25bcab66e7ef758ead67a085a561169b090f38a211fba92304531b21e37ea783a8afe519b115481321870124fee450072ed635d6993397ef37bc76926f736e1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe

MD5 3c5adf796fd3080ff3b5e72c417b669b
SHA1 2a8781090ae982ac09c709322b07221b53a38362
SHA256 206680f5afd989d83b103d8d0afc86bd7798afd4d67687a5b73f9fc5eadbdd21
SHA512 bb90b07668bd1c9e5c8d8bdd231fab25ef2d8213487cee506cc936ece957622ad9c0ab4e130e059a0c31db548872b38a9a39667922c334482f13143e7fd581bd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8405370.exe

MD5 3c5adf796fd3080ff3b5e72c417b669b
SHA1 2a8781090ae982ac09c709322b07221b53a38362
SHA256 206680f5afd989d83b103d8d0afc86bd7798afd4d67687a5b73f9fc5eadbdd21
SHA512 bb90b07668bd1c9e5c8d8bdd231fab25ef2d8213487cee506cc936ece957622ad9c0ab4e130e059a0c31db548872b38a9a39667922c334482f13143e7fd581bd

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe

MD5 522f3d34513d6cd6738a96dbf024a7ab
SHA1 6999a9dedaec290805e8a387469e54ba6deccb57
SHA256 5f9253f321622fd22e214d58154284462a6580d96dbfead4f0c8c58737ee9091
SHA512 c440da254f557a981585144524813c069c5f49806479db43df5adfefaac01b7ac52d29fb0c850d2d4f297fa616d2788222c6a1284a1b283dfc9b346743919451

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9797964.exe

MD5 522f3d34513d6cd6738a96dbf024a7ab
SHA1 6999a9dedaec290805e8a387469e54ba6deccb57
SHA256 5f9253f321622fd22e214d58154284462a6580d96dbfead4f0c8c58737ee9091
SHA512 c440da254f557a981585144524813c069c5f49806479db43df5adfefaac01b7ac52d29fb0c850d2d4f297fa616d2788222c6a1284a1b283dfc9b346743919451

memory/656-35-0x0000000000970000-0x000000000097A000-memory.dmp

memory/656-36-0x00007FFF1BCD0000-0x00007FFF1C6BC000-memory.dmp

memory/656-38-0x00007FFF1BCD0000-0x00007FFF1C6BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe

MD5 13f89dd0b3e5c439f324930e406a5bda
SHA1 bda6c49c22abcdb7839cfff56b40d53eed6359dd
SHA256 817bc048781e236e42702521f82550b1a85060fa1e4a0caf08a6547c35baa4bc
SHA512 a02c15161d82db9219a69e38e336ab1a2c3e7e77aa16e7f614219d5859ea37e7d38e4372a7adbaf146508713d96781eebced31624ebbdecb58c9820859bafe28

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3304296.exe

MD5 13f89dd0b3e5c439f324930e406a5bda
SHA1 bda6c49c22abcdb7839cfff56b40d53eed6359dd
SHA256 817bc048781e236e42702521f82550b1a85060fa1e4a0caf08a6547c35baa4bc
SHA512 a02c15161d82db9219a69e38e336ab1a2c3e7e77aa16e7f614219d5859ea37e7d38e4372a7adbaf146508713d96781eebced31624ebbdecb58c9820859bafe28

memory/3128-42-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3128-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3128-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3128-48-0x0000000000400000-0x0000000000428000-memory.dmp