Malware Analysis Report

2024-10-24 19:58

Sample ID 231101-q78r4sad7x
Target NEAS.248fe715c8c20dedc426433878766200.exe
SHA256 5eb1f9bfa6674b496dc91bb704ae98e167102cc0b6040aaa62e65cc6600f5dbf
Tags
healer mystic redline stas dropper evasion infostealer persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5eb1f9bfa6674b496dc91bb704ae98e167102cc0b6040aaa62e65cc6600f5dbf

Threat Level: Known bad

The file NEAS.248fe715c8c20dedc426433878766200.exe was found to be: Known bad.

Malicious Activity Summary

healer mystic redline stas dropper evasion infostealer persistence stealer trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine

Detect Mystic stealer payload

Healer

Mystic

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-01 13:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-01 13:55

Reported

2023-11-01 15:19

Platform

win10v2004-20231025-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.248fe715c8c20dedc426433878766200.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.248fe715c8c20dedc426433878766200.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3844 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.248fe715c8c20dedc426433878766200.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe
PID 3844 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.248fe715c8c20dedc426433878766200.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe
PID 3844 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.248fe715c8c20dedc426433878766200.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe
PID 1536 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe
PID 1536 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe
PID 1536 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe
PID 1424 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe
PID 1424 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe
PID 1424 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe
PID 3588 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe
PID 3588 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe
PID 3588 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe
PID 3588 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe
PID 3588 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe
PID 1424 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe
PID 1424 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe
PID 1424 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.248fe715c8c20dedc426433878766200.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.248fe715c8c20dedc426433878766200.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 126.209.247.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe

MD5 0d972758853cdae72f1b2976385687a5
SHA1 5ee1ab71437ae74490220f525ddbec908b28e54e
SHA256 e2ecca7158be1f5e91230dec7fd6fa7feff355b77c4ea4fc4b8d8bde1c7c664e
SHA512 582c093dc592d4cbe06938769554b9eacb1acb096c2b82beb3e41a41f9f71d2053c0155d0318f44e0c1de7de08647dfa1ee80fa23443fd1c6fed306dfac0b0e4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe

MD5 0d972758853cdae72f1b2976385687a5
SHA1 5ee1ab71437ae74490220f525ddbec908b28e54e
SHA256 e2ecca7158be1f5e91230dec7fd6fa7feff355b77c4ea4fc4b8d8bde1c7c664e
SHA512 582c093dc592d4cbe06938769554b9eacb1acb096c2b82beb3e41a41f9f71d2053c0155d0318f44e0c1de7de08647dfa1ee80fa23443fd1c6fed306dfac0b0e4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe

MD5 ff3f0e486464f3473a68d55da2ff926f
SHA1 01644a862d33c9fbf2abddad254975054d596c3a
SHA256 bfbc5549383ccaaf02378803c8ae60ecb8c347246e028a4920be7ff78a06b237
SHA512 eaf9af11e86da2dccd24890724799e775694bdb0c973c9c20b2efd364582650ea64654951b168e608d28e3a3547bdd26ec8b9d2e84672b43862c06c6e9ef58e7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe

MD5 ff3f0e486464f3473a68d55da2ff926f
SHA1 01644a862d33c9fbf2abddad254975054d596c3a
SHA256 bfbc5549383ccaaf02378803c8ae60ecb8c347246e028a4920be7ff78a06b237
SHA512 eaf9af11e86da2dccd24890724799e775694bdb0c973c9c20b2efd364582650ea64654951b168e608d28e3a3547bdd26ec8b9d2e84672b43862c06c6e9ef58e7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe

MD5 63b4afe6a4129a54c8c435e9d9281a0e
SHA1 d2b46895d25b2d5a0c093765e57578c85add3590
SHA256 d99865d00425cf2cf13d223847a4cbe9833c60f63e93f3610adde1b59f538f88
SHA512 fe87dfcb43356295c7adccccd3a869ed9797f9328f58fbb00132bd8abaa14b8edb27978fa5f242b6f68c5d9db473b6b4a5e99a0f3ecf1f0e0faac6303f1b17f1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe

MD5 63b4afe6a4129a54c8c435e9d9281a0e
SHA1 d2b46895d25b2d5a0c093765e57578c85add3590
SHA256 d99865d00425cf2cf13d223847a4cbe9833c60f63e93f3610adde1b59f538f88
SHA512 fe87dfcb43356295c7adccccd3a869ed9797f9328f58fbb00132bd8abaa14b8edb27978fa5f242b6f68c5d9db473b6b4a5e99a0f3ecf1f0e0faac6303f1b17f1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe

MD5 a4ef30681b5e1b73d464c09cdf52b776
SHA1 92bd836eb5e7382cdfa3c4e6918eaa6409683a04
SHA256 acadd7759e5eecf904f5552e464f07b1a517200c8483435e47ae4a12f9b9b8fe
SHA512 7bb5cbc2e43fbdd1deaa4b72d2b4ddb663803493ae2028484f015fe6b614bec537e3b057e0de9326881356937ea5bfd169f53ce2ee2a27049193c4695ab5d8e3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe

MD5 a4ef30681b5e1b73d464c09cdf52b776
SHA1 92bd836eb5e7382cdfa3c4e6918eaa6409683a04
SHA256 acadd7759e5eecf904f5552e464f07b1a517200c8483435e47ae4a12f9b9b8fe
SHA512 7bb5cbc2e43fbdd1deaa4b72d2b4ddb663803493ae2028484f015fe6b614bec537e3b057e0de9326881356937ea5bfd169f53ce2ee2a27049193c4695ab5d8e3

memory/5092-28-0x0000000000F70000-0x0000000000F7A000-memory.dmp

memory/5092-29-0x00007FFB30FC0000-0x00007FFB31A81000-memory.dmp

memory/5092-30-0x00007FFB30FC0000-0x00007FFB31A81000-memory.dmp

memory/5092-32-0x00007FFB30FC0000-0x00007FFB31A81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe

MD5 9c61af147b2b2f93b1ec4345cf438b2a
SHA1 425e86db29d9ae51a0f1fa73f2bf7b90e66ed6ab
SHA256 1febca12da614ace0014c0f69086730698ffa2d867b73feb561f3a9c81c52c83
SHA512 4be21d3bff22e86dff90f5e8e0caa98bf925d046c769bf5ce8bc6310c9eafb54d7613207a46e5c5e5e652db6a9d69cfb66c9c11b0f855c8debd74815b2f94817

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe

MD5 9c61af147b2b2f93b1ec4345cf438b2a
SHA1 425e86db29d9ae51a0f1fa73f2bf7b90e66ed6ab
SHA256 1febca12da614ace0014c0f69086730698ffa2d867b73feb561f3a9c81c52c83
SHA512 4be21d3bff22e86dff90f5e8e0caa98bf925d046c769bf5ce8bc6310c9eafb54d7613207a46e5c5e5e652db6a9d69cfb66c9c11b0f855c8debd74815b2f94817

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe

MD5 0bef73a2ce61299393cd0112160c10fd
SHA1 bf8b513969abb95563d2fb2b6129eae8af148796
SHA256 2834689c0ab1c01fa09e9caf3a770e546d8c102541c773d90c11d73e41998760
SHA512 b880eb7f53e441943eac2f7d078867b8e8b84fc6640317ee89adfb97547ae89b70347fc5160b4a3f4707b8d668140df32966ac53816ffd12af80b4c6ead92c67

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe

MD5 0bef73a2ce61299393cd0112160c10fd
SHA1 bf8b513969abb95563d2fb2b6129eae8af148796
SHA256 2834689c0ab1c01fa09e9caf3a770e546d8c102541c773d90c11d73e41998760
SHA512 b880eb7f53e441943eac2f7d078867b8e8b84fc6640317ee89adfb97547ae89b70347fc5160b4a3f4707b8d668140df32966ac53816ffd12af80b4c6ead92c67

memory/1856-39-0x00000000006B0000-0x00000000006E0000-memory.dmp

memory/1856-40-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1856-41-0x0000000002890000-0x0000000002896000-memory.dmp

memory/1856-42-0x0000000005820000-0x0000000005E38000-memory.dmp

memory/1856-43-0x0000000005310000-0x000000000541A000-memory.dmp

memory/1856-44-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/1856-45-0x0000000005070000-0x0000000005082000-memory.dmp

memory/1856-46-0x0000000005200000-0x000000000523C000-memory.dmp

memory/1856-47-0x0000000005240000-0x000000000528C000-memory.dmp

memory/1856-48-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1856-49-0x00000000050F0000-0x0000000005100000-memory.dmp