Malware Analysis Report

2025-08-05 22:18

Sample ID 231003-paebkacd59
Target eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50
SHA256 eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50

Threat Level: Known bad

The file eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50 was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 12:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 12:07

Reported

2023-10-03 12:09

Platform

win10-20230915-en

Max time kernel

109s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2864 set thread context of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe
PID 428 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe
PID 428 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe
PID 4820 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe
PID 4820 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe
PID 4820 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe
PID 424 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe
PID 424 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe
PID 424 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe
PID 4676 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe
PID 4676 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe
PID 4676 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe
PID 1020 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe
PID 1020 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe
PID 1020 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe
PID 1020 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe
PID 1020 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2864 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe

"C:\Users\Admin\AppData\Local\Temp\eace3fab640275bbd8840aa1413c2a0ee920ed2a3027432ff39be28e78586e50.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe

MD5 d66b832192781ce40419d8c81776c7d4
SHA1 b98d4bb5f246f977ffd0e3b31aea9ba5a34cd6c9
SHA256 b7badaecc56b93691eaeb1a5145ecf4787665b2e4c054879545e37d5b64110f0
SHA512 4eef2cbcb6ef268bc035dd8bd68f0abcc1bbff0124c16062f3561133f4ff81faef88e4d7844d97a54eb73570cc9524fb54c48aa04ec0a09f9d529e65ac84be16

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6942079.exe

MD5 d66b832192781ce40419d8c81776c7d4
SHA1 b98d4bb5f246f977ffd0e3b31aea9ba5a34cd6c9
SHA256 b7badaecc56b93691eaeb1a5145ecf4787665b2e4c054879545e37d5b64110f0
SHA512 4eef2cbcb6ef268bc035dd8bd68f0abcc1bbff0124c16062f3561133f4ff81faef88e4d7844d97a54eb73570cc9524fb54c48aa04ec0a09f9d529e65ac84be16

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe

MD5 2fe0809a0c81cd3caddec2b6f4518451
SHA1 6940b33b93919006f03ef1643d7096d7d43cb7fd
SHA256 209887ceef54bfde8f586fd9578685d8bdb2c3a3b5f1380b8568275e2e316120
SHA512 f4af8a5070c04ba0cad69ec137626f87f139d79895899b032f5446bd1c87e600a2a8bd5e6b43bdff882e84154c1a47b5b9bbf84b0ec4b37373021c4dbf1f986f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7413504.exe

MD5 2fe0809a0c81cd3caddec2b6f4518451
SHA1 6940b33b93919006f03ef1643d7096d7d43cb7fd
SHA256 209887ceef54bfde8f586fd9578685d8bdb2c3a3b5f1380b8568275e2e316120
SHA512 f4af8a5070c04ba0cad69ec137626f87f139d79895899b032f5446bd1c87e600a2a8bd5e6b43bdff882e84154c1a47b5b9bbf84b0ec4b37373021c4dbf1f986f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe

MD5 0f75abf26b1333caefb9a498807c2c5d
SHA1 d3bfd3aaefaf9f4cb8498c73e061aad7b2170cd7
SHA256 90a74c36b2f08c4feb45de6a6c0c01bcca52db10fda21f1865b16da4506eb6d9
SHA512 6d4c699e78eee93cae8961b1aa10b9e5815a66d0c54a476b28e43ac18ce72dc91a03fa8073485c3d1db4e2a8bb70eb8034dcca001f6c41072609760524e5db99

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4684420.exe

MD5 0f75abf26b1333caefb9a498807c2c5d
SHA1 d3bfd3aaefaf9f4cb8498c73e061aad7b2170cd7
SHA256 90a74c36b2f08c4feb45de6a6c0c01bcca52db10fda21f1865b16da4506eb6d9
SHA512 6d4c699e78eee93cae8961b1aa10b9e5815a66d0c54a476b28e43ac18ce72dc91a03fa8073485c3d1db4e2a8bb70eb8034dcca001f6c41072609760524e5db99

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe

MD5 5fc4dda571d464feafeb4a89d859fe2a
SHA1 7e182022fbe548c4d689f688b776a41c7650a4ae
SHA256 4a70805a990cfb9657707fc470fa30e41c7ae1ef3cf0a271fec0ced1dc86ed82
SHA512 d00e61ae188010c0563176f2b548c08c5068137442552a7daa52858b016a62373c115468afe3af04a5799d67537fa179014975d6cb1714b466e77aeaee35b7ed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1668808.exe

MD5 5fc4dda571d464feafeb4a89d859fe2a
SHA1 7e182022fbe548c4d689f688b776a41c7650a4ae
SHA256 4a70805a990cfb9657707fc470fa30e41c7ae1ef3cf0a271fec0ced1dc86ed82
SHA512 d00e61ae188010c0563176f2b548c08c5068137442552a7daa52858b016a62373c115468afe3af04a5799d67537fa179014975d6cb1714b466e77aeaee35b7ed

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe

MD5 1a4621d9e38e35f1601e6c204f083330
SHA1 3c883ba331adb236ac156d4c187e1ba8a7801d4a
SHA256 640e7cc5738c39f28e7e8d63a23747dd32d2603e073eba9814cbf4b17ddcbdb8
SHA512 e046f78b2aa0ec1332e68ef6070f18cd7350fb2d4750b7be26a755dc29c744e3ee6c9492e557515f79e883dc3258359ec7c38b41d00252154f0f1150fdf9f816

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3297704.exe

MD5 1a4621d9e38e35f1601e6c204f083330
SHA1 3c883ba331adb236ac156d4c187e1ba8a7801d4a
SHA256 640e7cc5738c39f28e7e8d63a23747dd32d2603e073eba9814cbf4b17ddcbdb8
SHA512 e046f78b2aa0ec1332e68ef6070f18cd7350fb2d4750b7be26a755dc29c744e3ee6c9492e557515f79e883dc3258359ec7c38b41d00252154f0f1150fdf9f816

memory/4248-35-0x0000000000910000-0x000000000091A000-memory.dmp

memory/4248-36-0x00007FFCC5720000-0x00007FFCC610C000-memory.dmp

memory/4248-38-0x00007FFCC5720000-0x00007FFCC610C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe

MD5 70665ec4c94a8e7d0822f4953151dae7
SHA1 503a41f1e58457745817dd77bf063448bb6921ef
SHA256 163b07e1850c146f6e5a129e102affdeddeff53593e2a637c5a874960dfdfc04
SHA512 6268bfaad7bf4df800ad7102b834b94964d1817e10ad963c7f0386448923f8be5409ae388a3c5c440f18ff3ff5f70240d8fac88f186e53295876a81b0a31d8e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3699752.exe

MD5 70665ec4c94a8e7d0822f4953151dae7
SHA1 503a41f1e58457745817dd77bf063448bb6921ef
SHA256 163b07e1850c146f6e5a129e102affdeddeff53593e2a637c5a874960dfdfc04
SHA512 6268bfaad7bf4df800ad7102b834b94964d1817e10ad963c7f0386448923f8be5409ae388a3c5c440f18ff3ff5f70240d8fac88f186e53295876a81b0a31d8e3

memory/2140-42-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2140-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2140-46-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2140-48-0x0000000000400000-0x0000000000428000-memory.dmp