Malware Analysis Report

2024-10-24 19:57

Sample ID 231026-ckbxzabb55
Target NEAS.9301cb162262c21467e409e34c083b10.exe
SHA256 2e1d54b8f901ca82b03038d7e5dd540ac9291ee4e641f4de787e628b930134c1
Tags
healer dropper evasion persistence trojan mystic redline gruha infostealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e1d54b8f901ca82b03038d7e5dd540ac9291ee4e641f4de787e628b930134c1

Threat Level: Known bad

The file NEAS.9301cb162262c21467e409e34c083b10.exe was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan mystic redline gruha infostealer stealer

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

Detects Healer an antivirus disabler dropper

Healer

RedLine

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 02:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 02:07

Reported

2023-10-26 02:13

Platform

win7-20231023-en

Max time kernel

121s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1280 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 2740 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 1532 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 1532 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 1532 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 1532 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 1532 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 1532 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 1532 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 1280 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 288

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

MD5 3abbfa448b60de10f3fbda079fc1ede1
SHA1 9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256 ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512 604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

MD5 3abbfa448b60de10f3fbda079fc1ede1
SHA1 9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256 ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512 604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

MD5 3abbfa448b60de10f3fbda079fc1ede1
SHA1 9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256 ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512 604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

MD5 3abbfa448b60de10f3fbda079fc1ede1
SHA1 9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256 ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512 604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

memory/2660-23-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2660-24-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2660-26-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2660-25-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2660-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2660-28-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2660-30-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2660-32-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-26 02:07

Reported

2023-10-26 02:11

Platform

win10v2004-20231023-en

Max time kernel

139s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 2512 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 2512 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe
PID 4468 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 4468 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 4468 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe
PID 1764 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1764 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1764 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1764 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1764 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1764 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1764 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1764 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4468 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe
PID 4468 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe
PID 4468 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4352 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2512 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe
PID 2512 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe
PID 2512 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe
PID 3812 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3812 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3812 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3812 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3812 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3812 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3812 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3812 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.9301cb162262c21467e409e34c083b10.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1764 -ip 1764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4352 -ip 4352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4868 -ip 4868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3812 -ip 3812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 140

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

MD5 3abbfa448b60de10f3fbda079fc1ede1
SHA1 9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256 ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512 604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5140034.exe

MD5 3abbfa448b60de10f3fbda079fc1ede1
SHA1 9be3b2dc46377c0ce21809fffd2bd5a3b88a0b46
SHA256 ab46c18d29907aae620962f7302a257d3a5789cd8f58adc2191e1569ec2b64fc
SHA512 604374b8fd993806979ac89d65e2710d542c4eed557623db1bb7eeac5b58c139115186d3f49d0b19cf64b0e03d7e2763d4fd9856197fdc2e76ae8a233ac37751

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0075553.exe

MD5 9fe4f348592f5abfac13127b76ee54af
SHA1 fb3a82f325d56a3e91613d90a253ea11f52c3033
SHA256 b07f17bac1312c58426b60c9779a8a6d74c7f4d746021b51438d5967374192dc
SHA512 8d65124e66d310129d7c9ac3ab522e0d3df3567317292a486426e22f4edf135f31244983502e91849a408d458de252c3595a5647c19718daf3940a5f91143f59

memory/2040-14-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2040-15-0x0000000074040000-0x00000000747F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe

MD5 8078177861b4615ee055179a999ab29e
SHA1 158d24fd37af5447b57d23ff2fc7cfacd6e2b1a8
SHA256 2fe3799f6321b28cc6a9583d919c7f65cdff167fb0f1f0ffce5840fa5dba7f29
SHA512 7f7775267659793400c3b2ad824bb5c95cee0a505c902d3b897e281072eaee672b085e7d0273f6a39b93eda69320954faf03a1a0bb58c6f44c5eb7173e7213c2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5010541.exe

MD5 8078177861b4615ee055179a999ab29e
SHA1 158d24fd37af5447b57d23ff2fc7cfacd6e2b1a8
SHA256 2fe3799f6321b28cc6a9583d919c7f65cdff167fb0f1f0ffce5840fa5dba7f29
SHA512 7f7775267659793400c3b2ad824bb5c95cee0a505c902d3b897e281072eaee672b085e7d0273f6a39b93eda69320954faf03a1a0bb58c6f44c5eb7173e7213c2

memory/4868-19-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4868-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4868-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4868-23-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe

MD5 170c2d85d4d23434fac6f0490134d271
SHA1 c112036ed860c7e78d237ba2e940bcfe0cdde30c
SHA256 0377e5b8ec6edd6f4818195aa45ac8010e7dcb5079bec718216e148e21765ac9
SHA512 888d144c8c73752d27870cea26a22701d11d63ca4146b7253cd40aa2777873979b8e4ad886cffd5d65d185aba8a16bf52afa774a4ac5bc04324651a3df4bccd3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1304113.exe

MD5 170c2d85d4d23434fac6f0490134d271
SHA1 c112036ed860c7e78d237ba2e940bcfe0cdde30c
SHA256 0377e5b8ec6edd6f4818195aa45ac8010e7dcb5079bec718216e148e21765ac9
SHA512 888d144c8c73752d27870cea26a22701d11d63ca4146b7253cd40aa2777873979b8e4ad886cffd5d65d185aba8a16bf52afa774a4ac5bc04324651a3df4bccd3

memory/4876-27-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4876-28-0x0000000074040000-0x00000000747F0000-memory.dmp

memory/4876-29-0x0000000001460000-0x0000000001466000-memory.dmp

memory/4876-30-0x0000000005AD0000-0x00000000060E8000-memory.dmp

memory/2040-31-0x0000000074040000-0x00000000747F0000-memory.dmp

memory/4876-32-0x00000000055C0000-0x00000000056CA000-memory.dmp

memory/4876-34-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/4876-33-0x0000000002F10000-0x0000000002F22000-memory.dmp

memory/4876-35-0x00000000054F0000-0x000000000552C000-memory.dmp

memory/4876-36-0x0000000005530000-0x000000000557C000-memory.dmp

memory/2040-38-0x0000000074040000-0x00000000747F0000-memory.dmp

memory/4876-39-0x0000000074040000-0x00000000747F0000-memory.dmp

memory/4876-40-0x00000000054A0000-0x00000000054B0000-memory.dmp