Malware Analysis Report

2025-08-05 22:18

Sample ID 231003-n1f3eacc42
Target 5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b
SHA256 5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b

Threat Level: Known bad

The file 5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 11:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 11:51

Reported

2023-10-03 11:54

Platform

win10-20230915-en

Max time kernel

128s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 360 set thread context of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe
PID 4896 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe
PID 4896 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe
PID 5040 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe
PID 5040 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe
PID 5040 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe
PID 5044 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe
PID 5044 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe
PID 5044 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe
PID 2840 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe
PID 2840 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe
PID 2840 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe
PID 760 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe
PID 760 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe
PID 760 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe
PID 760 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe
PID 760 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 360 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe

"C:\Users\Admin\AppData\Local\Temp\5b8020944e3b4c19f950c026f783a089050ed3d44a250720b70010505045301b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 360 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe

MD5 cecb33e52844eed2ab12ef26fe7edcc6
SHA1 72585c363dfcb6f19c150f2808f612b6ee1c1bab
SHA256 b03d4ca343454cf713e8b258bb72f3d3dc228728838b2213f0556bfdb9e16c23
SHA512 4befbcabfa457c87e7a1450caecfb41b2096c18da165cd52ad2b6041a7d9353ec0377cf21d5aff12424be1b58a45f83df13fa98f82bcac5df7101dcf83e32b3e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4236574.exe

MD5 cecb33e52844eed2ab12ef26fe7edcc6
SHA1 72585c363dfcb6f19c150f2808f612b6ee1c1bab
SHA256 b03d4ca343454cf713e8b258bb72f3d3dc228728838b2213f0556bfdb9e16c23
SHA512 4befbcabfa457c87e7a1450caecfb41b2096c18da165cd52ad2b6041a7d9353ec0377cf21d5aff12424be1b58a45f83df13fa98f82bcac5df7101dcf83e32b3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe

MD5 a30f8618a2d328ed1cf3c6bd4d7501cf
SHA1 8f2a3ff8babc7afe6f369988fd0c25be6d6dfc29
SHA256 fe65dea61980c9c653a12a5a4fffdea6bad6f4052af04e1c3faab3287b4182a6
SHA512 efec5d7dd2b75ba031c589b5405acca67889ce37423ad35516441d4462f975f97792e81f2ec5f28dd41ed50c768c64f2a3e09634cca1fefa16178a158505ec21

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1229832.exe

MD5 a30f8618a2d328ed1cf3c6bd4d7501cf
SHA1 8f2a3ff8babc7afe6f369988fd0c25be6d6dfc29
SHA256 fe65dea61980c9c653a12a5a4fffdea6bad6f4052af04e1c3faab3287b4182a6
SHA512 efec5d7dd2b75ba031c589b5405acca67889ce37423ad35516441d4462f975f97792e81f2ec5f28dd41ed50c768c64f2a3e09634cca1fefa16178a158505ec21

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe

MD5 010abe4746330faa6c6ef72656ec1a94
SHA1 9a2b85a1e992a2bf5b85a52607793f821758fca8
SHA256 2ed891e2d101d95a76711417d84522b3a4e562d2ac535343ce3db8af3e90a1ab
SHA512 92dd7de4d8bd2d352e5c670d03fb7ce9e88c4096111ca2bc2b46e703a3df1564903327eaca213cfcea4414cb722c3d4dadfbcd4645ef6bf822d2aa33cdb9bf16

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1863501.exe

MD5 010abe4746330faa6c6ef72656ec1a94
SHA1 9a2b85a1e992a2bf5b85a52607793f821758fca8
SHA256 2ed891e2d101d95a76711417d84522b3a4e562d2ac535343ce3db8af3e90a1ab
SHA512 92dd7de4d8bd2d352e5c670d03fb7ce9e88c4096111ca2bc2b46e703a3df1564903327eaca213cfcea4414cb722c3d4dadfbcd4645ef6bf822d2aa33cdb9bf16

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe

MD5 fa094e16096130944bb7b7521a316e51
SHA1 6989255601a8edefbc5314825fddf7c797819164
SHA256 f792b26069c47486f75901a4c96b4cac1b7f30fcf52f386812d0267b3c653d7d
SHA512 30a6ae9fc3c54d394edae44d59b38c8e5bbcb8a409263f58ed39a69e2134749356c275878b6adbd285114e262e75db7c922d22d56ded37a96a4cd20ed1e71527

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4311597.exe

MD5 fa094e16096130944bb7b7521a316e51
SHA1 6989255601a8edefbc5314825fddf7c797819164
SHA256 f792b26069c47486f75901a4c96b4cac1b7f30fcf52f386812d0267b3c653d7d
SHA512 30a6ae9fc3c54d394edae44d59b38c8e5bbcb8a409263f58ed39a69e2134749356c275878b6adbd285114e262e75db7c922d22d56ded37a96a4cd20ed1e71527

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe

MD5 895ee5b54370e21b75e65f2485359e6a
SHA1 393263f8cc26a011dd76540cdcbda413c3b500a2
SHA256 703ccd19b8eeba2e59483799736d39d46a2fa781764aaa9c73449fe9b8e2913c
SHA512 602113ba3dc01789d8ba17db5e9b740c49bc7d49f3c0468cfe49723941b419ce4cb17a5d2ef6437b080e6fbdb90850058eaac6020121343ef43a8e746f6601a6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0773486.exe

MD5 895ee5b54370e21b75e65f2485359e6a
SHA1 393263f8cc26a011dd76540cdcbda413c3b500a2
SHA256 703ccd19b8eeba2e59483799736d39d46a2fa781764aaa9c73449fe9b8e2913c
SHA512 602113ba3dc01789d8ba17db5e9b740c49bc7d49f3c0468cfe49723941b419ce4cb17a5d2ef6437b080e6fbdb90850058eaac6020121343ef43a8e746f6601a6

memory/424-35-0x0000000000570000-0x000000000057A000-memory.dmp

memory/424-36-0x00007FFC5C4D0000-0x00007FFC5CEBC000-memory.dmp

memory/424-38-0x00007FFC5C4D0000-0x00007FFC5CEBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe

MD5 93729dd51f21b7c2d4737f47d39e63c2
SHA1 e358d85a6562c9150cc265ed63c6e8eec0d68b0a
SHA256 990009f12a3aa835f9dbfa414f45f70c8c2b142d1f8507bf54acd4daad01add1
SHA512 278004db2da54e0c8de3ae0c4f326068d7f2bf2e7e78f0de4caf43cd1455b2474136cf652e4043606f29f7385b1f3c5b740a4c9de6b777a82a977a939f786d50

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2240345.exe

MD5 93729dd51f21b7c2d4737f47d39e63c2
SHA1 e358d85a6562c9150cc265ed63c6e8eec0d68b0a
SHA256 990009f12a3aa835f9dbfa414f45f70c8c2b142d1f8507bf54acd4daad01add1
SHA512 278004db2da54e0c8de3ae0c4f326068d7f2bf2e7e78f0de4caf43cd1455b2474136cf652e4043606f29f7385b1f3c5b740a4c9de6b777a82a977a939f786d50

memory/5104-42-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5104-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5104-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5104-48-0x0000000000400000-0x0000000000428000-memory.dmp