Malware Analysis Report

2025-08-05 22:18

Sample ID 231003-pgb5saae7z
Target dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933
SHA256 dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933
Tags
healer dropper evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933

Threat Level: Known bad

The file dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933 was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 12:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 12:17

Reported

2023-10-03 12:20

Platform

win10-20230831-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2320 set thread context of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3708 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe
PID 3708 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe
PID 3708 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe
PID 2792 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe
PID 2792 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe
PID 2792 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe
PID 3672 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe
PID 3672 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe
PID 3672 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe
PID 432 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe
PID 432 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe
PID 432 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe
PID 432 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe
PID 432 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe
PID 2320 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe

"C:\Users\Admin\AppData\Local\Temp\dbce6bdd247474179db59137515436785eb03193f2ef51244d62b1d5762fd933.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe

MD5 468473d6f1a2d1fbb8c07b307215108f
SHA1 520bb733551505f6020578a7584e74505f01cb49
SHA256 fff34c3f782bf2415ef118ce318ad4fc805c995b15eace0a7463341d5195ca58
SHA512 175b868fe33fc9600b5ba939c2e83ade7cc6eba038f473ce57875428a965090581797b1ac3eeac1a98db77b5d948904d49318bf8c2aabf2ef1d4c0c930379473

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qZ0oP60.exe

MD5 468473d6f1a2d1fbb8c07b307215108f
SHA1 520bb733551505f6020578a7584e74505f01cb49
SHA256 fff34c3f782bf2415ef118ce318ad4fc805c995b15eace0a7463341d5195ca58
SHA512 175b868fe33fc9600b5ba939c2e83ade7cc6eba038f473ce57875428a965090581797b1ac3eeac1a98db77b5d948904d49318bf8c2aabf2ef1d4c0c930379473

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe

MD5 43163cc4a6a39df696c8d1c207c54ee5
SHA1 49d58dcda045fd084f02bfb257ef26671e0c049a
SHA256 baaea239b204bbbc3ad578082ec43226bb577f85f924bf3a68c1d6d452ff1e7f
SHA512 9c8d1318d7342a5303e70458cf131dc02740ba415759420f4516dca7b2906518cf4555d4d87ff278fb5e54d6ed2404ed29f81ced8e3b3da7535c16260d13762b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yj1Cc63.exe

MD5 43163cc4a6a39df696c8d1c207c54ee5
SHA1 49d58dcda045fd084f02bfb257ef26671e0c049a
SHA256 baaea239b204bbbc3ad578082ec43226bb577f85f924bf3a68c1d6d452ff1e7f
SHA512 9c8d1318d7342a5303e70458cf131dc02740ba415759420f4516dca7b2906518cf4555d4d87ff278fb5e54d6ed2404ed29f81ced8e3b3da7535c16260d13762b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe

MD5 64bca51ecff153f709b0cc24dd7c4b93
SHA1 2aa7c15f7026208977f7fb29eedc0d5545a0ff5c
SHA256 19ea671822598b6a024be776a8478072818957e2ce7a3b5d3de15b4096b5d30f
SHA512 4c12360966db4e8ecf51461df2d21022e51875f558e64944bbe64d0cdca5722a0e25fa36d02ea8b6fecdb9f60d99197eff98bcfb8bf05b85dff2389c6eb6c3a9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zZ4Lp23.exe

MD5 64bca51ecff153f709b0cc24dd7c4b93
SHA1 2aa7c15f7026208977f7fb29eedc0d5545a0ff5c
SHA256 19ea671822598b6a024be776a8478072818957e2ce7a3b5d3de15b4096b5d30f
SHA512 4c12360966db4e8ecf51461df2d21022e51875f558e64944bbe64d0cdca5722a0e25fa36d02ea8b6fecdb9f60d99197eff98bcfb8bf05b85dff2389c6eb6c3a9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe

MD5 e2c620e42d157ad9c02ec84dbae97201
SHA1 e30c848655af00953fdb31a4eafc3cfdcaaea064
SHA256 056b2870ff956c76d100ccf4a6d7ea1c9b7aed9ca7e993ec52b6e8f1f6eb03b7
SHA512 dd3be5c7320ec692f111b91622908a3cea601baf036684fe3251cddb9f9f7ed2977d6baef781beb4ff2570671ca1ce8b0031bc5a2f95a52858bdf19cc0383521

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1hi22Qx2.exe

MD5 e2c620e42d157ad9c02ec84dbae97201
SHA1 e30c848655af00953fdb31a4eafc3cfdcaaea064
SHA256 056b2870ff956c76d100ccf4a6d7ea1c9b7aed9ca7e993ec52b6e8f1f6eb03b7
SHA512 dd3be5c7320ec692f111b91622908a3cea601baf036684fe3251cddb9f9f7ed2977d6baef781beb4ff2570671ca1ce8b0031bc5a2f95a52858bdf19cc0383521

memory/372-28-0x0000000000010000-0x000000000001A000-memory.dmp

memory/372-29-0x00007FF9DB3D0000-0x00007FF9DBDBC000-memory.dmp

memory/372-31-0x00007FF9DB3D0000-0x00007FF9DBDBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe

MD5 dc3ed8d7ff3799e6d004415d44ab9355
SHA1 650eed74c34700f96cdd1181023809c4020e9687
SHA256 d076ba245e680b4423222ebbbc65424c6f0119f5b428e89cd61030282683c276
SHA512 0dcefad4327b6eb04bba4e1ac6b29d4244463b7c1a1e104ef9f1a5f77e8ed18354787912c970e6dc02b7bdec3d9f7584bff5609066906312c2a540921032666e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2vK2667.exe

MD5 dc3ed8d7ff3799e6d004415d44ab9355
SHA1 650eed74c34700f96cdd1181023809c4020e9687
SHA256 d076ba245e680b4423222ebbbc65424c6f0119f5b428e89cd61030282683c276
SHA512 0dcefad4327b6eb04bba4e1ac6b29d4244463b7c1a1e104ef9f1a5f77e8ed18354787912c970e6dc02b7bdec3d9f7584bff5609066906312c2a540921032666e

memory/4212-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4212-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4212-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4212-41-0x0000000000400000-0x0000000000428000-memory.dmp