Overview

overview

10

Static

static

3

NEAS.9301c...10.exe

windows7-x64

10

NEAS.9301c...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2023 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.9301cb162262c21467e409e34c083b10.exe

  • Size

    890KB

  • MD5

    9301cb162262c21467e409e34c083b10

  • SHA1

    abcf1b431853b7115ae6091b591d5de7a93677ec

  • SHA256

    2e1d54b8f901ca82b03038d7e5dd540ac9291ee4e641f4de787e628b930134c1

  • SHA512

    8e891e9a6ad6b6375e46beb88ee82fbb681d5ef1299d52c2e0e88f22e53dfe25a4381560a51af169a327b80e56a7c7c7c6fb87efb31bb871ec6781d1f08318c3

  • SSDEEP

    12288:bMrTy90OZT83eCKnvhpcxMrAevRsXeWIoJOLS6R8QxixFIFW76pSin5G/4ej:MyNZNCupcxMrAanWO+6KQA6n5Ah

Score
10/10
healermysticredlinegruhadropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2040
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 140
          4⤵
          • Program crash
          PID:2264
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4352
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4868
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 540
              5⤵
              • Program crash
              PID:4860
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 148
            4⤵
            • Program crash
            PID:4864
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3812
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:4876
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 140
            3⤵
            • Program crash
            PID:1368
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1764 -ip 1764
        1⤵
          PID:4560
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4352 -ip 4352
          1⤵
            PID:2752
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4868 -ip 4868
            1⤵
              PID:3456
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3812 -ip 3812
              1⤵
                PID:3564

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe
                Filesize

                1.0MB

                MD5

                170c2d85d4d23434fac6f0490134d271

                SHA1

                c112036ed860c7e78d237ba2e940bcfe0cdde30c

                SHA256

                0377e5b8ec6edd6f4818195aa45ac8010e7dcb5079bec718216e148e21765ac9

                SHA512

                888d144c8c73752d27870cea26a22701d11d63ca4146b7253cd40aa2777873979b8e4ad886cffd5d65d185aba8a16bf52afa774a4ac5bc04324651a3df4bccd3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe
                Filesize

                1.0MB

                MD5

                170c2d85d4d23434fac6f0490134d271

                SHA1

                c112036ed860c7e78d237ba2e940bcfe0cdde30c

                SHA256

                0377e5b8ec6edd6f4818195aa45ac8010e7dcb5079bec718216e148e21765ac9

                SHA512

                888d144c8c73752d27870cea26a22701d11d63ca4146b7253cd40aa2777873979b8e4ad886cffd5d65d185aba8a16bf52afa774a4ac5bc04324651a3df4bccd3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
                Filesize

                499KB

                MD5

                3abbfa448b60de10f3fbda079fc1ede1

                SHA1

                9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46

                SHA256

                ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc

                SHA512

                604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
                Filesize

                499KB

                MD5

                3abbfa448b60de10f3fbda079fc1ede1

                SHA1

                9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46

                SHA256

                ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc

                SHA512

                604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
                Filesize

                860KB

                MD5

                9fe4f348592f5abfac13127b76ee54af

                SHA1

                fb3a82f325d56a3e91613d90a253ea11f52c3033

                SHA256

                b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

                SHA512

                8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
                Filesize

                860KB

                MD5

                9fe4f348592f5abfac13127b76ee54af

                SHA1

                fb3a82f325d56a3e91613d90a253ea11f52c3033

                SHA256

                b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc

                SHA512

                8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe
                Filesize

                1016KB

                MD5

                8078177861b4615ee055179a999ab29e

                SHA1

                158d24fd37af5447b57d23ff2fc7cfacd6e2b1a8

                SHA256

                2fe3799f6321b28cc6a9583d919c7f65cdff167fb0f1f0ffce5840fa5dba7f29

                SHA512

                7f7775267659793400c3b2ad824bb5c95cee0a505c902d3b897e281072eaee672b085e7d0273f6a39b93eda69320954faf03a1a0bb58c6f44c5eb7173e7213c2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe
                Filesize

                1016KB

                MD5

                8078177861b4615ee055179a999ab29e

                SHA1

                158d24fd37af5447b57d23ff2fc7cfacd6e2b1a8

                SHA256

                2fe3799f6321b28cc6a9583d919c7f65cdff167fb0f1f0ffce5840fa5dba7f29

                SHA512

                7f7775267659793400c3b2ad824bb5c95cee0a505c902d3b897e281072eaee672b085e7d0273f6a39b93eda69320954faf03a1a0bb58c6f44c5eb7173e7213c2

                Download Submit

              • memory/2040-15-0x0000000074040000-0x00000000747F0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2040-14-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2040-38-0x0000000074040000-0x00000000747F0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2040-31-0x0000000074040000-0x00000000747F0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4868-19-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4868-20-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4868-21-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4868-23-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4876-30-0x0000000005AD0000-0x00000000060E8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4876-29-0x0000000001460000-0x0000000001466000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4876-28-0x0000000074040000-0x00000000747F0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4876-32-0x00000000055C0000-0x00000000056CA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4876-34-0x00000000054A0000-0x00000000054B0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4876-33-0x0000000002F10000-0x0000000002F22000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4876-35-0x00000000054F0000-0x000000000552C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4876-36-0x0000000005530000-0x000000000557C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4876-27-0x0000000000400000-0x0000000000430000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4876-39-0x0000000074040000-0x00000000747F0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4876-40-0x00000000054A0000-0x00000000054B0000-memory.dmp

                Filesize

                64KB

                Download