Overview

overview

10

Static

static

3

NEAS.6f532...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2023 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.6f532b047ef3133943ba7d1c9e979710.exe

  • Size

    539KB

  • MD5

    6f532b047ef3133943ba7d1c9e979710

  • SHA1

    048b40f1d21bae58183717398b5072d3d412577a

  • SHA256

    3e86bd1463b0fbcb4c39762cee11a8e301816821af2c3708110a65fbe3f16916

  • SHA512

    8e360455a5304e08247ad73ab77c7503f986e0c6c175ce32d8de80eb59803747ce2dc0512d86a12634aaa33e5353b47fa1077b4d71b02d4517a753c8fe70a128

  • SSDEEP

    12288:yMrWy901HTdXc+y//fUVop3PKPY152Z57fGbgNMV:Aye++y3fCop3PKQ15kZBNu

Score
10/10
healermysticredlinejordandropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

jordan

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3252
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 540
              5⤵
              • Program crash
              PID:1476
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 612
            4⤵
            • Program crash
            PID:1072
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:1724
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:5060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 152
              3⤵
              • Program crash
              PID:1204
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1700 -ip 1700
          1⤵
            PID:4464
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3252 -ip 3252
            1⤵
              PID:3468
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2136 -ip 2136
              1⤵
                PID:228

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe
                Filesize

                367KB

                MD5

                ad16c57165109d65188d097b45db4d63

                SHA1

                02569eafdc59bebafa84f117d5c6626f1d3f01d9

                SHA256

                524dc40a05ee0256996f5626923d69b7b610798f8480220695b3277db71b9ec7

                SHA512

                5e6eafd8ac5376db95b84964c07930fc899ed3e78d2e0cda2d3441cc9eba738c59ad61d3d2993b48bd71e47d4f3de1c055ec4a07ecdc23091f2b32023f6cdd88

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe
                Filesize

                367KB

                MD5

                ad16c57165109d65188d097b45db4d63

                SHA1

                02569eafdc59bebafa84f117d5c6626f1d3f01d9

                SHA256

                524dc40a05ee0256996f5626923d69b7b610798f8480220695b3277db71b9ec7

                SHA512

                5e6eafd8ac5376db95b84964c07930fc899ed3e78d2e0cda2d3441cc9eba738c59ad61d3d2993b48bd71e47d4f3de1c055ec4a07ecdc23091f2b32023f6cdd88

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe
                Filesize

                293KB

                MD5

                03a9b443229985b8430fa84688f9ad88

                SHA1

                28f9d326f75917d2063877a05aa405de177f61a4

                SHA256

                30bf5e268df608594f94fecebc946d2f9166bd5a7324f5b23106bd2649a7f3a6

                SHA512

                2e06d823ccfc076447a3ec810a6e3276722d9f782d651838f895e3b99585d45baf809b0a54028f6fbee4fc873784d5a3f509e4869a313c45cbdd8acb7a4cd5b8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe
                Filesize

                293KB

                MD5

                03a9b443229985b8430fa84688f9ad88

                SHA1

                28f9d326f75917d2063877a05aa405de177f61a4

                SHA256

                30bf5e268df608594f94fecebc946d2f9166bd5a7324f5b23106bd2649a7f3a6

                SHA512

                2e06d823ccfc076447a3ec810a6e3276722d9f782d651838f895e3b99585d45baf809b0a54028f6fbee4fc873784d5a3f509e4869a313c45cbdd8acb7a4cd5b8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe
                Filesize

                12KB

                MD5

                f73b3357e1e682c0692201aef4e79da5

                SHA1

                d3bd0583e13d747c16020f8f3f3f254e7cd39a2c

                SHA256

                7f75e4f610b51a8320a0e1942155bed7888482eea9d5967232805e46b9561721

                SHA512

                fed3107670528ffb1dbc5267dbea54a3c74bddad6142753c50937007d7ef383f01d9670f037b25328bc40e113c8a2d7d05bab3588b89414147a777431b6afb96

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe
                Filesize

                12KB

                MD5

                f73b3357e1e682c0692201aef4e79da5

                SHA1

                d3bd0583e13d747c16020f8f3f3f254e7cd39a2c

                SHA256

                7f75e4f610b51a8320a0e1942155bed7888482eea9d5967232805e46b9561721

                SHA512

                fed3107670528ffb1dbc5267dbea54a3c74bddad6142753c50937007d7ef383f01d9670f037b25328bc40e113c8a2d7d05bab3588b89414147a777431b6afb96

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe
                Filesize

                285KB

                MD5

                27fe097082f52b3ec7b759044ad4e17b

                SHA1

                71e005dabf4370ab68266196682caa7915f326c0

                SHA256

                ae0b1d7daae5df1adab405bd037e41aa58107261efc536d6f1c15236fc0b759f

                SHA512

                99aabd17bb7c63c29d021489be8be09dac082ce584a346403cd472e93111c8c1931a11827b5e7bb3b0ea5566f5504c4df42619418a06152df9c2d7a5629e6f02

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe
                Filesize

                285KB

                MD5

                27fe097082f52b3ec7b759044ad4e17b

                SHA1

                71e005dabf4370ab68266196682caa7915f326c0

                SHA256

                ae0b1d7daae5df1adab405bd037e41aa58107261efc536d6f1c15236fc0b759f

                SHA512

                99aabd17bb7c63c29d021489be8be09dac082ce584a346403cd472e93111c8c1931a11827b5e7bb3b0ea5566f5504c4df42619418a06152df9c2d7a5629e6f02

                Download Submit

              • memory/116-17-0x00007FFD66940000-0x00007FFD67401000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/116-15-0x00007FFD66940000-0x00007FFD67401000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/116-14-0x0000000000320000-0x000000000032A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3252-21-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/3252-22-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/3252-23-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/3252-25-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/5060-31-0x0000000007B80000-0x0000000008124000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/5060-30-0x0000000073A90000-0x0000000074240000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/5060-29-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/5060-32-0x0000000007670000-0x0000000007702000-memory.dmp

                Filesize

                584KB

                Download

              • memory/5060-33-0x0000000007900000-0x0000000007910000-memory.dmp

                Filesize

                64KB

                Download

              • memory/5060-34-0x0000000007860000-0x000000000786A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/5060-35-0x0000000008750000-0x0000000008D68000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/5060-36-0x0000000007A20000-0x0000000007B2A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/5060-37-0x0000000007940000-0x0000000007952000-memory.dmp

                Filesize

                72KB

                Download

              • memory/5060-38-0x00000000079A0000-0x00000000079DC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/5060-39-0x0000000007B30000-0x0000000007B7C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/5060-40-0x0000000073A90000-0x0000000074240000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/5060-41-0x0000000007900000-0x0000000007910000-memory.dmp

                Filesize

                64KB

                Download