Malware Analysis Report

2025-08-05 22:18

Sample ID 231003-nwezjscb85
Target dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb
SHA256 dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb

Threat Level: Known bad

The file dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 11:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 11:44

Reported

2023-10-03 11:47

Platform

win10-20230915-en

Max time kernel

125s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4856 set thread context of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe
PID 2768 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe
PID 2768 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe
PID 2116 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe
PID 2116 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe
PID 2116 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe
PID 2632 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe
PID 2632 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe
PID 2632 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe
PID 4372 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe
PID 4372 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe
PID 4372 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe
PID 4372 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe
PID 4372 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe
PID 4856 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4856 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe

"C:\Users\Admin\AppData\Local\Temp\dc49b0b0815795e7c1162bd7fdcc7f36f810abd5673e58d025a212b7a9e79ebb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 225.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe

MD5 3f9bf33de9dbc3b4ff325ed2ca484383
SHA1 7d35c87fc1fc54778cd9d848ce4e7093b210eb25
SHA256 151b09a17549eb664d9861266ee3aae882c761408fa2ee20faf772e7fe824214
SHA512 612232bc28d32e68c0a61103756da337bc82431cd86778b64a3fbd11b6a4c0d80e8b2d00f97dc864c72186cde888295d6c9fe06f9977364ce5dd7a48270215d0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fb4cT90.exe

MD5 3f9bf33de9dbc3b4ff325ed2ca484383
SHA1 7d35c87fc1fc54778cd9d848ce4e7093b210eb25
SHA256 151b09a17549eb664d9861266ee3aae882c761408fa2ee20faf772e7fe824214
SHA512 612232bc28d32e68c0a61103756da337bc82431cd86778b64a3fbd11b6a4c0d80e8b2d00f97dc864c72186cde888295d6c9fe06f9977364ce5dd7a48270215d0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe

MD5 b8419002a71cb074d22c204494c444f0
SHA1 218c717272b12775faf896a653f7c220a6cec37c
SHA256 75023350df0134e5a73857f76c7ead28e5c1d029ddbbcc20f1a2b6585895999b
SHA512 675a95d0957f5efb109fae36b0371c753ad5b67092d89b83eef513a4d06695fd966602fb199dbddeaeacc6c6a57174c5c92e62fea6137294c163c13450beca55

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rA7Ev50.exe

MD5 b8419002a71cb074d22c204494c444f0
SHA1 218c717272b12775faf896a653f7c220a6cec37c
SHA256 75023350df0134e5a73857f76c7ead28e5c1d029ddbbcc20f1a2b6585895999b
SHA512 675a95d0957f5efb109fae36b0371c753ad5b67092d89b83eef513a4d06695fd966602fb199dbddeaeacc6c6a57174c5c92e62fea6137294c163c13450beca55

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe

MD5 d26ea2df963e785b102079b28c352b59
SHA1 4ae543c6a6370e1af8789671b9e269a2216a4d44
SHA256 653f9e4e32b6db993309907ef8cd9e95ddf3123fc98c4b3a29b1b83e7d1fbeba
SHA512 f16a16c1d58227e0c3d97a58a776af4271fc733c7e40721d1254612562425ac59afa15fdab14084800615763d74a145c87b188e1504d6c85cfc133af08530e39

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sf6Uq60.exe

MD5 d26ea2df963e785b102079b28c352b59
SHA1 4ae543c6a6370e1af8789671b9e269a2216a4d44
SHA256 653f9e4e32b6db993309907ef8cd9e95ddf3123fc98c4b3a29b1b83e7d1fbeba
SHA512 f16a16c1d58227e0c3d97a58a776af4271fc733c7e40721d1254612562425ac59afa15fdab14084800615763d74a145c87b188e1504d6c85cfc133af08530e39

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe

MD5 35a0e47267276a8e8882396e4f192a37
SHA1 a6353f0584ca37d0f783e1a077b524ec54da2a2c
SHA256 e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96
SHA512 e322cf2c200076ced13d097f6cb3a92164a6fc7cfcc7c855161d7bf76397c8eb96be20d347cb609bba1361ac803ba5b23668b02f6c7f62db25b2a025d5e6fc03

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1vJ48qZ3.exe

MD5 35a0e47267276a8e8882396e4f192a37
SHA1 a6353f0584ca37d0f783e1a077b524ec54da2a2c
SHA256 e4d31acd4f6f9a8c85c0c7d946d55e4efd5a2571f54a3b6682e04495f951bd96
SHA512 e322cf2c200076ced13d097f6cb3a92164a6fc7cfcc7c855161d7bf76397c8eb96be20d347cb609bba1361ac803ba5b23668b02f6c7f62db25b2a025d5e6fc03

memory/4264-28-0x0000000000470000-0x000000000047A000-memory.dmp

memory/4264-29-0x00007FFDD9510000-0x00007FFDD9EFC000-memory.dmp

memory/4264-31-0x00007FFDD9510000-0x00007FFDD9EFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe

MD5 4f0618a9c475f2cc448658d569feecf6
SHA1 894882be7b89ef0fc6c80f1b6d2af88f70a633ab
SHA256 b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382
SHA512 0a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yu1664.exe

MD5 4f0618a9c475f2cc448658d569feecf6
SHA1 894882be7b89ef0fc6c80f1b6d2af88f70a633ab
SHA256 b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382
SHA512 0a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1

memory/204-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/204-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/204-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/204-41-0x0000000000400000-0x0000000000428000-memory.dmp