Malware Analysis Report

2025-08-05 22:18

Sample ID 231003-nrczdsac5z
Target a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43
SHA256 a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43

Threat Level: Known bad

The file a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43 was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 11:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 11:37

Reported

2023-10-03 11:40

Platform

win10-20230915-en

Max time kernel

127s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4872 set thread context of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe
PID 3132 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe
PID 3132 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe
PID 4156 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe
PID 4156 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe
PID 4156 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe
PID 2640 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe
PID 2640 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe
PID 2640 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe
PID 3808 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe
PID 3808 wrote to memory of 356 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe
PID 3808 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe
PID 3808 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe
PID 3808 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4872 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe

"C:\Users\Admin\AppData\Local\Temp\a304990597cd3487d8063db0c5b1aaeb15c4eca87597d6ad487c175815d05d43.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 192

Network

Country Destination Domain Proto
US 8.8.8.8:53 177.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe

MD5 4f0b4ba453fe8cbc4783c9874d79bc6e
SHA1 f642397f98a0f32afd1b7ef3da93c7e7ce76a6cd
SHA256 6a851e3ae7ba5fc42885cf5f972c74b8c0183aac81c0da0558db4c04173821fe
SHA512 2ac44e4a7ea041ea0127e9b99308a114aa9ac0112f21c64e2461e9d648cc0dbb04090a842b06ad4fc67f15d6e08b7a22d17adc1d3056f1edfdd7c5faea37c210

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GU9CH02.exe

MD5 4f0b4ba453fe8cbc4783c9874d79bc6e
SHA1 f642397f98a0f32afd1b7ef3da93c7e7ce76a6cd
SHA256 6a851e3ae7ba5fc42885cf5f972c74b8c0183aac81c0da0558db4c04173821fe
SHA512 2ac44e4a7ea041ea0127e9b99308a114aa9ac0112f21c64e2461e9d648cc0dbb04090a842b06ad4fc67f15d6e08b7a22d17adc1d3056f1edfdd7c5faea37c210

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe

MD5 190605d9aff0c8f997553add1f73b7f6
SHA1 a5add285aa928ae1d5201d8f2b5b5bdb2cc32d31
SHA256 9a7b985322e6c953d1c941857db7e377143a1ecde7f101e13d2960bbd835ae75
SHA512 29cd4239f635bf0074c877550781a83667822efe5a433c29eeceb4e1b408eb378feb83bafd4b03f5721514577d49f0076ebec6056dae38064e2b41dca15c06c7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KV7JV92.exe

MD5 190605d9aff0c8f997553add1f73b7f6
SHA1 a5add285aa928ae1d5201d8f2b5b5bdb2cc32d31
SHA256 9a7b985322e6c953d1c941857db7e377143a1ecde7f101e13d2960bbd835ae75
SHA512 29cd4239f635bf0074c877550781a83667822efe5a433c29eeceb4e1b408eb378feb83bafd4b03f5721514577d49f0076ebec6056dae38064e2b41dca15c06c7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe

MD5 e1f94ea11b4051f09af96caec6603fe9
SHA1 07f7b53d308f10c964c1fe0a505d0f2bcd94b920
SHA256 6bc479573eba31861da2b23f961fcb5b7ab7cbf44e9fb55661133894c581d344
SHA512 c70695762550f7dc7fffca68fe95c427dd5602ed9e0227a275932d0aec1f24007b92844bd45b0af75cc9fe32ccac137177b612d4210b26e50a86eea57282428e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\De7mV25.exe

MD5 e1f94ea11b4051f09af96caec6603fe9
SHA1 07f7b53d308f10c964c1fe0a505d0f2bcd94b920
SHA256 6bc479573eba31861da2b23f961fcb5b7ab7cbf44e9fb55661133894c581d344
SHA512 c70695762550f7dc7fffca68fe95c427dd5602ed9e0227a275932d0aec1f24007b92844bd45b0af75cc9fe32ccac137177b612d4210b26e50a86eea57282428e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe

MD5 523b4afa2fe40bd2aad22dd509a91946
SHA1 b0eb9975e4ff08253e1294b8b546fea6bfaf6247
SHA256 bfbc2077b6d96f82c015b3e0df9c86e333277c8a217e13ed946f3a6d35b27e25
SHA512 490a042154426a8c12f99d313e980fe203f48182b964af6effa0d2012e66fc252608deb1e0310d5043a2a3d8c278ec04c6b8f56d3e66e1317ab037fc8d64b1a5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1QQ29wl4.exe

MD5 523b4afa2fe40bd2aad22dd509a91946
SHA1 b0eb9975e4ff08253e1294b8b546fea6bfaf6247
SHA256 bfbc2077b6d96f82c015b3e0df9c86e333277c8a217e13ed946f3a6d35b27e25
SHA512 490a042154426a8c12f99d313e980fe203f48182b964af6effa0d2012e66fc252608deb1e0310d5043a2a3d8c278ec04c6b8f56d3e66e1317ab037fc8d64b1a5

memory/356-28-0x0000000000700000-0x000000000070A000-memory.dmp

memory/356-29-0x00007FFCB1290000-0x00007FFCB1C7C000-memory.dmp

memory/356-31-0x00007FFCB1290000-0x00007FFCB1C7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe

MD5 ac3d748bd53abd00abcf57a2c3e1f2ad
SHA1 3f082497aad436fac809fe19b98319c1bcbba4c6
SHA256 df9e30d9ab2d4f2a046e9807b7f7fca2181b8ef0319a9c4efc0124373e81d601
SHA512 a1314bede955a55a4049540ad08c7f5e8b5f5b6b6e8b56a1934dff7432eafd3d8999d878f13face0ebac1c0b48f6b288adbb8c8a28fe5b5679eb9ac8c8151bdd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2oS2746.exe

MD5 ac3d748bd53abd00abcf57a2c3e1f2ad
SHA1 3f082497aad436fac809fe19b98319c1bcbba4c6
SHA256 df9e30d9ab2d4f2a046e9807b7f7fca2181b8ef0319a9c4efc0124373e81d601
SHA512 a1314bede955a55a4049540ad08c7f5e8b5f5b6b6e8b56a1934dff7432eafd3d8999d878f13face0ebac1c0b48f6b288adbb8c8a28fe5b5679eb9ac8c8151bdd

memory/5024-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5024-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5024-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5024-41-0x0000000000400000-0x0000000000428000-memory.dmp