Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a4f1bc63fa...14.exe

windows7-x64

10

a4f1bc63fa...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    205s
  • max time network
    213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 05:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4f1bc63fa2e4afce5187f4dca16a2740c9a0467a29cccea99359aec58978114.exe

  • Size

    1.1MB

  • MD5

    38632233845254a2918bf7b43f194c1b

  • SHA1

    e38ef1326b592b0f295d68ed77fdf0d0fdd78c20

  • SHA256

    a4f1bc63fa2e4afce5187f4dca16a2740c9a0467a29cccea99359aec58978114

  • SHA512

    6f5e238177b21d135e216fab35211f2fad3bab32191fc1063feac61327a2abe6b14c6bed2f90782c2156377f0eb3cee83efd0d6cb02ae5e003d7e1b2a0851e75

  • SSDEEP

    24576:Iya/mJtYAl+jUNEHcn+ZFw4OuehoGSGo4jKDpSuLkrxCr4jLtE:P+KtYAlEzB7O/qGSJ4jxuLkrwr4j

Score
10/10
healermysticdropperevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4f1bc63fa2e4afce5187f4dca16a2740c9a0467a29cccea99359aec58978114.exe
    "C:\Users\Admin\AppData\Local\Temp\a4f1bc63fa2e4afce5187f4dca16a2740c9a0467a29cccea99359aec58978114.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8802024.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8802024.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3536989.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3536989.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4110671.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4110671.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4300
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4385511.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4385511.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4752
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5240595.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5240595.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2816
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1832
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 152
                7⤵
                • Program crash
                PID:1452
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0363003.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0363003.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4716
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:1460
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2816 -ip 2816
      1⤵
        PID:3504
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4716 -ip 4716
        1⤵
          PID:2028

        Network

        • flag-us
          DNS
          157.123.68.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          157.123.68.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          126.177.238.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          126.177.238.8.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          206.23.85.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          206.23.85.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          126.41.238.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          126.41.238.8.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          75.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          75.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          108.211.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          108.211.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          57.169.31.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          57.169.31.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          21.236.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          21.236.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          64.159.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          64.159.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          158.240.127.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          158.240.127.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          8.173.189.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.173.189.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          26.35.223.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.35.223.20.in-addr.arpa
          IN PTR
          Response
        No results found
        • 8.8.8.8:53
          157.123.68.40.in-addr.arpa
          dns
          72 B
           146 B
           1
          1

          DNS Request

          157.123.68.40.in-addr.arpa

        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
           90 B
           1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          126.177.238.8.in-addr.arpa
          dns
          72 B
           126 B
           1
          1

          DNS Request

          126.177.238.8.in-addr.arpa

        • 8.8.8.8:53
          206.23.85.13.in-addr.arpa
          dns
          71 B
           145 B
           1
          1

          DNS Request

          206.23.85.13.in-addr.arpa

        • 8.8.8.8:53
          126.41.238.8.in-addr.arpa
          dns
          71 B
           125 B
           1
          1

          DNS Request

          126.41.238.8.in-addr.arpa

        • 8.8.8.8:53
          75.159.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          75.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          108.211.229.192.in-addr.arpa
          dns
          74 B
           145 B
           1
          1

          DNS Request

          108.211.229.192.in-addr.arpa

        • 8.8.8.8:53
          57.169.31.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          57.169.31.20.in-addr.arpa

        • 8.8.8.8:53
          21.236.111.52.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          21.236.111.52.in-addr.arpa

        • 8.8.8.8:53
          64.159.190.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          64.159.190.20.in-addr.arpa

        • 8.8.8.8:53
          158.240.127.40.in-addr.arpa
          dns
          73 B
           147 B
           1
          1

          DNS Request

          158.240.127.40.in-addr.arpa

        • 8.8.8.8:53
          8.173.189.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          8.173.189.20.in-addr.arpa

        • 8.8.8.8:53
          26.35.223.20.in-addr.arpa
          dns
          71 B
           157 B
           1
          1

          DNS Request

          26.35.223.20.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8802024.exe
          Filesize

          983KB

          MD5

          5dd0edf953157aa36723581ccd761217

          SHA1

          1f68bedf537b8ddaa9c7cd5deb89c69702fe1dda

          SHA256

          7b8bd3d7507ae5a960100c029bde5f3f5debfd8b181d6ac32dffddf6882bb63c

          SHA512

          1a0d3edc789bf2e88f78adcfd91545399f56fc3967751313947b940e3d191d69afee13fb8ec6fd6d65c10704cf2343f98ec07b02fd84bacc0da237c8d65d22c4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8802024.exe
          Filesize

          983KB

          MD5

          5dd0edf953157aa36723581ccd761217

          SHA1

          1f68bedf537b8ddaa9c7cd5deb89c69702fe1dda

          SHA256

          7b8bd3d7507ae5a960100c029bde5f3f5debfd8b181d6ac32dffddf6882bb63c

          SHA512

          1a0d3edc789bf2e88f78adcfd91545399f56fc3967751313947b940e3d191d69afee13fb8ec6fd6d65c10704cf2343f98ec07b02fd84bacc0da237c8d65d22c4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3536989.exe
          Filesize

          800KB

          MD5

          b2f30e20df8c03e0ca879b32c2083296

          SHA1

          527a7d9c3f00965661ebed41a5d48efea63b6d7c

          SHA256

          b0f6dcbb8278624beaf5e46e13d3f3c3be3c6cbce35eeea2ca14610da5ea56a5

          SHA512

          d401da8d08f6a91a6eccf6165ab3058daf0803989e81420f1ee1fc8b1a2c01edc90cf229ef31f47072e6b84b0a59990423a9d95de72b3771090fe5d8d8bef52c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3536989.exe
          Filesize

          800KB

          MD5

          b2f30e20df8c03e0ca879b32c2083296

          SHA1

          527a7d9c3f00965661ebed41a5d48efea63b6d7c

          SHA256

          b0f6dcbb8278624beaf5e46e13d3f3c3be3c6cbce35eeea2ca14610da5ea56a5

          SHA512

          d401da8d08f6a91a6eccf6165ab3058daf0803989e81420f1ee1fc8b1a2c01edc90cf229ef31f47072e6b84b0a59990423a9d95de72b3771090fe5d8d8bef52c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4110671.exe
          Filesize

          617KB

          MD5

          157f76febfc185735378979e5c696c12

          SHA1

          fa6d83dfca266084c739bcfbb00d90e6ddf76ac9

          SHA256

          c833844127ddfd3faef6587694fb5d89238e959d2ced04ed1a09369426693d6a

          SHA512

          d642189f05b04cc55050594567022ddcfbdb20793b7ce41f2ba198177097a270dc9f494ccfb711f46df2904f5fdd422709c2d60872c951b83695ed205783dade

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4110671.exe
          Filesize

          617KB

          MD5

          157f76febfc185735378979e5c696c12

          SHA1

          fa6d83dfca266084c739bcfbb00d90e6ddf76ac9

          SHA256

          c833844127ddfd3faef6587694fb5d89238e959d2ced04ed1a09369426693d6a

          SHA512

          d642189f05b04cc55050594567022ddcfbdb20793b7ce41f2ba198177097a270dc9f494ccfb711f46df2904f5fdd422709c2d60872c951b83695ed205783dade

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4385511.exe
          Filesize

          346KB

          MD5

          00371b2cd7064ef8355af6baf1200028

          SHA1

          1e9eacd485322c5d54b6624e24e2eb2e972e2d1c

          SHA256

          dde9a73c0d795c182e9f6dda5b53fa30f546fd07656fc3679c2437c17a2ec656

          SHA512

          064e6f7e90a29041aa07b2688c36cc9db965145520af14db600b0241c2dcd08c1d313d2def594dd00d76c0e3f36b82d5f5620c9133639249cc00982d6a625162

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4385511.exe
          Filesize

          346KB

          MD5

          00371b2cd7064ef8355af6baf1200028

          SHA1

          1e9eacd485322c5d54b6624e24e2eb2e972e2d1c

          SHA256

          dde9a73c0d795c182e9f6dda5b53fa30f546fd07656fc3679c2437c17a2ec656

          SHA512

          064e6f7e90a29041aa07b2688c36cc9db965145520af14db600b0241c2dcd08c1d313d2def594dd00d76c0e3f36b82d5f5620c9133639249cc00982d6a625162

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5240595.exe
          Filesize

          227KB

          MD5

          493dc7d8138fc4c2f7008173581938e9

          SHA1

          2e07cfce2dd0a024f95553e57cc57c7036d5f1e1

          SHA256

          cc9e18805ba98ed8846428a56904dda8f3855dff0fb00022b278f6bd4f2cf0ab

          SHA512

          d3e8777674f41e28b88823d950197c7af04b84dfb3f55a5efb71935ec2d06cf4fbc27d079f208dca30ca75694acc7a11806322566349110bae1cf15404cfab0e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5240595.exe
          Filesize

          227KB

          MD5

          493dc7d8138fc4c2f7008173581938e9

          SHA1

          2e07cfce2dd0a024f95553e57cc57c7036d5f1e1

          SHA256

          cc9e18805ba98ed8846428a56904dda8f3855dff0fb00022b278f6bd4f2cf0ab

          SHA512

          d3e8777674f41e28b88823d950197c7af04b84dfb3f55a5efb71935ec2d06cf4fbc27d079f208dca30ca75694acc7a11806322566349110bae1cf15404cfab0e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0363003.exe
          Filesize

          356KB

          MD5

          b4d2f435a2a0f4d9e8657a74bcac5e26

          SHA1

          941d9445eb5e76425e39eee5134441733d469b8e

          SHA256

          7dfaa8cf6458143ae95efb3d20e7aa271ac4b21e7b27725f7853940d21e8adc0

          SHA512

          60832939f294e61f82646ed041b28e9e9cabd49294425dc7765b809d91d72786154e56487399d8d8700b68b47b5f0457b76aba6ad084452baa64511fa757553f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0363003.exe
          Filesize

          356KB

          MD5

          b4d2f435a2a0f4d9e8657a74bcac5e26

          SHA1

          941d9445eb5e76425e39eee5134441733d469b8e

          SHA256

          7dfaa8cf6458143ae95efb3d20e7aa271ac4b21e7b27725f7853940d21e8adc0

          SHA512

          60832939f294e61f82646ed041b28e9e9cabd49294425dc7765b809d91d72786154e56487399d8d8700b68b47b5f0457b76aba6ad084452baa64511fa757553f

          Download Submit

        • memory/1460-43-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1460-45-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1460-44-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1460-47-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/1832-37-0x0000000074660000-0x0000000074E10000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1832-39-0x0000000074660000-0x0000000074E10000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1832-36-0x0000000074660000-0x0000000074E10000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1832-35-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.