Malware Analysis Report

2025-08-11 02:10

Sample ID 231003-dmp32sga4w
Target 69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468
SHA256 69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468

Threat Level: Known bad

The file 69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468 was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 03:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 03:07

Reported

2023-10-03 03:10

Platform

win10-20230915-en

Max time kernel

128s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 424 set thread context of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3800 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe
PID 3800 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe
PID 3800 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe
PID 2856 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe
PID 2856 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe
PID 2856 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe
PID 1292 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe
PID 1292 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe
PID 1292 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe
PID 5100 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe
PID 5100 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe
PID 5100 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe
PID 5100 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe
PID 5100 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 424 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe

"C:\Users\Admin\AppData\Local\Temp\69e2fbd2ea73f89ed10a9f89e7f35487c860c1adea1322214dc5909781a3d468.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe

MD5 cbcf5a947412fb62c35d0a049e52fe6d
SHA1 6b994a5057c277ee21585865c324206029c4e094
SHA256 b3d89672d76b866a1b02564a46abbaadb3d4da3b4231a5290c5613a05965b283
SHA512 9711f0bcacca4823fe01293f4dbc8eef95035b858a1801ac84cb3bd7d050e9669a9312947ba2941b4b761d8983794696b87b84f9fa3c457b851c59b843b38805

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iY8kb09.exe

MD5 cbcf5a947412fb62c35d0a049e52fe6d
SHA1 6b994a5057c277ee21585865c324206029c4e094
SHA256 b3d89672d76b866a1b02564a46abbaadb3d4da3b4231a5290c5613a05965b283
SHA512 9711f0bcacca4823fe01293f4dbc8eef95035b858a1801ac84cb3bd7d050e9669a9312947ba2941b4b761d8983794696b87b84f9fa3c457b851c59b843b38805

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe

MD5 624a694a779aabcba2f67cdf73380fb2
SHA1 1dd5418500132310b43669a55a85870e01818446
SHA256 13f4f8bbc394b2ed5f814b23dbe59462e6c32a3f4f105c3cef01379999baf2af
SHA512 58a5ee1e184663f20402d9f3e3df4bcbfb0d70ba25414533b1477ec7213654360b5f93f4c73d81ea6eeedd80a04cfc8389227c18c48ec406db1a21dc78122921

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb2zR83.exe

MD5 624a694a779aabcba2f67cdf73380fb2
SHA1 1dd5418500132310b43669a55a85870e01818446
SHA256 13f4f8bbc394b2ed5f814b23dbe59462e6c32a3f4f105c3cef01379999baf2af
SHA512 58a5ee1e184663f20402d9f3e3df4bcbfb0d70ba25414533b1477ec7213654360b5f93f4c73d81ea6eeedd80a04cfc8389227c18c48ec406db1a21dc78122921

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe

MD5 e4a7baef665a7149f4bc792748080240
SHA1 d075ac42be23b5907fbebbf042bb65efdbdcd919
SHA256 354b2754845d6a195c1c5ddb130039bd6bf52329b6cdffffd9f86b59ebf616dd
SHA512 4a456286e0d477e311b0704d5b0a68be487c02cf57b17e00cadac2e8b442e09a84f43b6141fddddd9106292603a515692cc22ad2e00c957d5806d9a5ea99ebe5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sr3NZ90.exe

MD5 e4a7baef665a7149f4bc792748080240
SHA1 d075ac42be23b5907fbebbf042bb65efdbdcd919
SHA256 354b2754845d6a195c1c5ddb130039bd6bf52329b6cdffffd9f86b59ebf616dd
SHA512 4a456286e0d477e311b0704d5b0a68be487c02cf57b17e00cadac2e8b442e09a84f43b6141fddddd9106292603a515692cc22ad2e00c957d5806d9a5ea99ebe5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe

MD5 3f82e2a3ce72b5fe38f4c572a65cfd17
SHA1 4ad8ee72d22d3a675d4949d3a8d9cbfa11c4a1c5
SHA256 a5676d335c1738d96ec21afb4e9acd66cbded2bb7361d1b4e32190aad0102a9f
SHA512 7f77e63d6e3733912d1664431f6579572b6ab6ebaa039610be77df480815da064e674053f54f63fa8953765e6a1a065c2e8fa12a23ca96cf720d3e76109c3255

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1AO38Iz2.exe

MD5 3f82e2a3ce72b5fe38f4c572a65cfd17
SHA1 4ad8ee72d22d3a675d4949d3a8d9cbfa11c4a1c5
SHA256 a5676d335c1738d96ec21afb4e9acd66cbded2bb7361d1b4e32190aad0102a9f
SHA512 7f77e63d6e3733912d1664431f6579572b6ab6ebaa039610be77df480815da064e674053f54f63fa8953765e6a1a065c2e8fa12a23ca96cf720d3e76109c3255

memory/4772-28-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

memory/4772-29-0x00007FFBDD1A0000-0x00007FFBDDB8C000-memory.dmp

memory/4772-31-0x00007FFBDD1A0000-0x00007FFBDDB8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe

MD5 084df43ce4ce72edc3c48945cd9cd269
SHA1 68f2bbdf8320b3058f5977738ef3cbc4c2af884e
SHA256 72db416c89ad5152f533a8ed977de539c74dfdd5f323d0121d831f99d7baf737
SHA512 ad8fa04c3d46f32edbf655f4b4c02ce8bf498f268b470dbf94d8616973359643e0ef388d0f1ad1c10f705bc489897c473c298f48b125211140b367506dbe9eda

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Di1592.exe

MD5 084df43ce4ce72edc3c48945cd9cd269
SHA1 68f2bbdf8320b3058f5977738ef3cbc4c2af884e
SHA256 72db416c89ad5152f533a8ed977de539c74dfdd5f323d0121d831f99d7baf737
SHA512 ad8fa04c3d46f32edbf655f4b4c02ce8bf498f268b470dbf94d8616973359643e0ef388d0f1ad1c10f705bc489897c473c298f48b125211140b367506dbe9eda

memory/1700-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1700-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1700-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1700-41-0x0000000000400000-0x0000000000428000-memory.dmp