Malware Analysis Report

2025-08-11 02:10

Sample ID 231003-del2eshg72
Target ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93
SHA256 ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93

Threat Level: Known bad

The file ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93 was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 02:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 02:55

Reported

2023-10-03 02:58

Platform

win10-20230915-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5092 set thread context of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4176 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe
PID 4176 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe
PID 4176 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe
PID 2080 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe
PID 2080 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe
PID 2080 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe
PID 3080 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe
PID 3080 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe
PID 3080 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe
PID 2668 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe
PID 2668 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe
PID 2668 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe
PID 2668 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe
PID 2668 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe
PID 5092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe

"C:\Users\Admin\AppData\Local\Temp\ea94336e930c6d164b6099730bcffb52db8d10610167f5006f43c8a2fb577e93.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe

MD5 52ed0d4cad0ceb29afb1804c5f1489eb
SHA1 3fac180571a5f2e3c156e3066fad928f9f563d0d
SHA256 fca6694f173e2cf3e02430a37c305ab4e58ce95b830c83c32ebdd8da7b7a85a3
SHA512 4256506efd57c928d5a2e3736bcaa3237c8b33df6c51f99f358c353b54aa15d9196fd4cd7aa07eeae56842b549a0258edc3af43b7193d17eaec5ae0ba0de91e5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wp2Et77.exe

MD5 52ed0d4cad0ceb29afb1804c5f1489eb
SHA1 3fac180571a5f2e3c156e3066fad928f9f563d0d
SHA256 fca6694f173e2cf3e02430a37c305ab4e58ce95b830c83c32ebdd8da7b7a85a3
SHA512 4256506efd57c928d5a2e3736bcaa3237c8b33df6c51f99f358c353b54aa15d9196fd4cd7aa07eeae56842b549a0258edc3af43b7193d17eaec5ae0ba0de91e5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe

MD5 1e171451dc2a0da783ad0da1845272ca
SHA1 d8a3fe31dfb22bf2732b4b3fbbeec481aeeeb814
SHA256 1317f453a7b58b585d93aa86431c97374433d6edad874369166c28e6c2d64f04
SHA512 885a1beb39031a319f6ddf7de1d745d5f855168dae186d850b4ac29137cc0886c1d4114bc5dc3241492dced5aae3b013ca755f7696aeb2377a6899b365e45649

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ue9GK99.exe

MD5 1e171451dc2a0da783ad0da1845272ca
SHA1 d8a3fe31dfb22bf2732b4b3fbbeec481aeeeb814
SHA256 1317f453a7b58b585d93aa86431c97374433d6edad874369166c28e6c2d64f04
SHA512 885a1beb39031a319f6ddf7de1d745d5f855168dae186d850b4ac29137cc0886c1d4114bc5dc3241492dced5aae3b013ca755f7696aeb2377a6899b365e45649

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe

MD5 171adcd4b6203c84c60aa8906c989352
SHA1 12760c7bb5a52bf5e26f7b690c29c5be391216d2
SHA256 c0f77ed0cf045092cd1245710c34b9d779508699bbaf3bf05cdc31c484c2e094
SHA512 801731362cf64496fa20b178db64976a184cc0378e1cc6c5acb54ec306ebc6f2a23dde4be15b25442589a708b6c660fb1a16d63116a66b92d90c6ecf1bc01789

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eJ1Vg68.exe

MD5 171adcd4b6203c84c60aa8906c989352
SHA1 12760c7bb5a52bf5e26f7b690c29c5be391216d2
SHA256 c0f77ed0cf045092cd1245710c34b9d779508699bbaf3bf05cdc31c484c2e094
SHA512 801731362cf64496fa20b178db64976a184cc0378e1cc6c5acb54ec306ebc6f2a23dde4be15b25442589a708b6c660fb1a16d63116a66b92d90c6ecf1bc01789

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe

MD5 31e10401a29a6864917ba298a4dee9f7
SHA1 1fc35715da630fee7092ed0a405a71a3de55ec5c
SHA256 5def27b47d5664016b169525e800af478f7a484ed55ff55a7a6946afb4373715
SHA512 f4cf33584a3bef1fb9a49bf69a970ca8dfb4fcfd884e58ec73929b7a66f2efd9fb48f807a061c8d87bfd5d3cdbe7cf4328e95cd9bf421036eb0e3363d3e05a99

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1me35um6.exe

MD5 31e10401a29a6864917ba298a4dee9f7
SHA1 1fc35715da630fee7092ed0a405a71a3de55ec5c
SHA256 5def27b47d5664016b169525e800af478f7a484ed55ff55a7a6946afb4373715
SHA512 f4cf33584a3bef1fb9a49bf69a970ca8dfb4fcfd884e58ec73929b7a66f2efd9fb48f807a061c8d87bfd5d3cdbe7cf4328e95cd9bf421036eb0e3363d3e05a99

memory/760-28-0x00000000002E0000-0x00000000002EA000-memory.dmp

memory/760-29-0x00007FFEBC3C0000-0x00007FFEBCDAC000-memory.dmp

memory/760-31-0x00007FFEBC3C0000-0x00007FFEBCDAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe

MD5 e6eb4b6e93d29cbd10519979de39cfe1
SHA1 f7bd8c746e9af1242c65915007de51628a3e228e
SHA256 fa41b39c0a6bfbd4f1bbee90896bff7b0316fa6745ebdec4800e3ba1e58d1c6b
SHA512 30f5850a9fded402fa04c376459db0b06825a3086d3d94fe25cfc4a234461992093685e3104787fa8f607ea2a73645bdee79dbab3504c7c3b09074f32bd23d10

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ux5140.exe

MD5 e6eb4b6e93d29cbd10519979de39cfe1
SHA1 f7bd8c746e9af1242c65915007de51628a3e228e
SHA256 fa41b39c0a6bfbd4f1bbee90896bff7b0316fa6745ebdec4800e3ba1e58d1c6b
SHA512 30f5850a9fded402fa04c376459db0b06825a3086d3d94fe25cfc4a234461992093685e3104787fa8f607ea2a73645bdee79dbab3504c7c3b09074f32bd23d10

memory/4276-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4276-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4276-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4276-41-0x0000000000400000-0x0000000000428000-memory.dmp