Malware Analysis Report

2025-08-05 22:18

Sample ID 231003-nebwkaab4z
Target d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332
SHA256 d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332

Threat Level: Known bad

The file d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332 was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 11:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 11:18

Reported

2023-10-03 11:20

Platform

win10-20230915-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1420 set thread context of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe
PID 4848 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe
PID 4848 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe
PID 4016 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe
PID 4016 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe
PID 4016 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe
PID 4192 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe
PID 3188 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe
PID 3188 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe
PID 3188 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe
PID 3188 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe
PID 3188 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1420 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe

"C:\Users\Admin\AppData\Local\Temp\d0447c2355c4987631618cdaad6a4721b8245131aa28a733b6cd324f34fa1332.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 225.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe

MD5 449a335987e102e2fd2e8b7696b3ae4d
SHA1 eec71f904634c0ace885d776539ea8a21686258c
SHA256 ab9471b5802658f8093fc0846dd7d1a1f37382ae324ad128296caf921eefc4a0
SHA512 87ffced9996af916d40ded09a81f4bf0f971ae4039a443d732b7002f02ff18ffbe8b48a2e441be1df971eb9ad2c8e2becbccdad17327a006c4160c13d0ec2dbe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sR3Rd97.exe

MD5 449a335987e102e2fd2e8b7696b3ae4d
SHA1 eec71f904634c0ace885d776539ea8a21686258c
SHA256 ab9471b5802658f8093fc0846dd7d1a1f37382ae324ad128296caf921eefc4a0
SHA512 87ffced9996af916d40ded09a81f4bf0f971ae4039a443d732b7002f02ff18ffbe8b48a2e441be1df971eb9ad2c8e2becbccdad17327a006c4160c13d0ec2dbe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe

MD5 61e5ce1b3666d253136d70364ff287a0
SHA1 b37179bdccd9255c29dff74830fe8845bfa49f5f
SHA256 8d3c2a4429da9f4cb01ccf7e1b028d1b162877dc992f4f55715c777355b13549
SHA512 793efbfdfbcc519f0453d0a17c62705f84d6b0d8bf646d3ba0c4be769cc0972f8046450ec724f2efb68587f6aad2f5a11e5cbd7c40ea99c6e051b9712a655d8f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo7Gg07.exe

MD5 61e5ce1b3666d253136d70364ff287a0
SHA1 b37179bdccd9255c29dff74830fe8845bfa49f5f
SHA256 8d3c2a4429da9f4cb01ccf7e1b028d1b162877dc992f4f55715c777355b13549
SHA512 793efbfdfbcc519f0453d0a17c62705f84d6b0d8bf646d3ba0c4be769cc0972f8046450ec724f2efb68587f6aad2f5a11e5cbd7c40ea99c6e051b9712a655d8f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe

MD5 7c962d722ca137a161572106c5098c6c
SHA1 5276cfeead9bf4bc0ef540ac8faf602b8a47caa1
SHA256 0b31683a3a7e024a810c71a4b9478212c9c8980969526a08a0fbffea820c0294
SHA512 580d2920d58812d59f2bb2e4ae9809acf01db3e975b5a77ffe5a8d25870f65017bdd2eace11c2ab6a2da8ed5272d0378161295f622585c6474e3ca119cd08bd5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ju5sm97.exe

MD5 7c962d722ca137a161572106c5098c6c
SHA1 5276cfeead9bf4bc0ef540ac8faf602b8a47caa1
SHA256 0b31683a3a7e024a810c71a4b9478212c9c8980969526a08a0fbffea820c0294
SHA512 580d2920d58812d59f2bb2e4ae9809acf01db3e975b5a77ffe5a8d25870f65017bdd2eace11c2ab6a2da8ed5272d0378161295f622585c6474e3ca119cd08bd5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe

MD5 385097ae848db5d88fc9b42cd72b4a49
SHA1 033079fd36b4e11dabe80332aa58da41fb8000fd
SHA256 e38a99b236000d777a07464fa0ef480eb1452ff17ceef0ee762faa7549ed81bc
SHA512 005fb77acd98fc4a8d2cb5289aa5b86f6e6710f85a963baa4e23a38c2840316f36fb32ed2e1bc87d9d208a99f452c7f817365535b543968e1df4629012f967e1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jh00se4.exe

MD5 385097ae848db5d88fc9b42cd72b4a49
SHA1 033079fd36b4e11dabe80332aa58da41fb8000fd
SHA256 e38a99b236000d777a07464fa0ef480eb1452ff17ceef0ee762faa7549ed81bc
SHA512 005fb77acd98fc4a8d2cb5289aa5b86f6e6710f85a963baa4e23a38c2840316f36fb32ed2e1bc87d9d208a99f452c7f817365535b543968e1df4629012f967e1

memory/3008-28-0x0000000000330000-0x000000000033A000-memory.dmp

memory/3008-29-0x00007FFE570C0000-0x00007FFE57AAC000-memory.dmp

memory/3008-31-0x00007FFE570C0000-0x00007FFE57AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe

MD5 cfa62f3674dfd5107a6864ad4084d56c
SHA1 4202d779d0b8d6aff3f373aedd2a1e83b19d8cb8
SHA256 0ef2edf4bda629a64709ca401dcc3ff02269b16c03552a387b5b6c4fef621325
SHA512 d8251c8aa9416cad54fa93d95493c7f05db14647361aace39edb9ce886ff40bcdb148a63e628c8d90f7dab617167f7bdf4794b5d0f83b40e2c5dcbf47b5bb687

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2iX7790.exe

MD5 cfa62f3674dfd5107a6864ad4084d56c
SHA1 4202d779d0b8d6aff3f373aedd2a1e83b19d8cb8
SHA256 0ef2edf4bda629a64709ca401dcc3ff02269b16c03552a387b5b6c4fef621325
SHA512 d8251c8aa9416cad54fa93d95493c7f05db14647361aace39edb9ce886ff40bcdb148a63e628c8d90f7dab617167f7bdf4794b5d0f83b40e2c5dcbf47b5bb687

memory/600-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/600-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/600-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/600-41-0x0000000000400000-0x0000000000428000-memory.dmp