Malware Analysis Report

2024-10-24 19:57

Sample ID 231101-rhmn1sch6v
Target NEAS.6f532b047ef3133943ba7d1c9e979710.exe
SHA256 3e86bd1463b0fbcb4c39762cee11a8e301816821af2c3708110a65fbe3f16916
Tags
healer mystic redline jordan dropper evasion infostealer persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e86bd1463b0fbcb4c39762cee11a8e301816821af2c3708110a65fbe3f16916

Threat Level: Known bad

The file NEAS.6f532b047ef3133943ba7d1c9e979710.exe was found to be: Known bad.

Malicious Activity Summary

healer mystic redline jordan dropper evasion infostealer persistence stealer trojan

RedLine

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detect Mystic stealer payload

Mystic

Healer

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-01 14:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-01 14:11

Reported

2023-11-01 18:23

Platform

win10v2004-20231023-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe
PID 4388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe
PID 4388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe
PID 2952 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe
PID 2952 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe
PID 2952 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe
PID 2952 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe
PID 2952 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1700 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe
PID 4388 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe
PID 4388 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe
PID 2136 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2136 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.6f532b047ef3133943ba7d1c9e979710.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1700 -ip 1700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3252 -ip 3252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2136 -ip 2136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 152

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe

MD5 03a9b443229985b8430fa84688f9ad88
SHA1 28f9d326f75917d2063877a05aa405de177f61a4
SHA256 30bf5e268df608594f94fecebc946d2f9166bd5a7324f5b23106bd2649a7f3a6
SHA512 2e06d823ccfc076447a3ec810a6e3276722d9f782d651838f895e3b99585d45baf809b0a54028f6fbee4fc873784d5a3f509e4869a313c45cbdd8acb7a4cd5b8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9474111.exe

MD5 03a9b443229985b8430fa84688f9ad88
SHA1 28f9d326f75917d2063877a05aa405de177f61a4
SHA256 30bf5e268df608594f94fecebc946d2f9166bd5a7324f5b23106bd2649a7f3a6
SHA512 2e06d823ccfc076447a3ec810a6e3276722d9f782d651838f895e3b99585d45baf809b0a54028f6fbee4fc873784d5a3f509e4869a313c45cbdd8acb7a4cd5b8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe

MD5 f73b3357e1e682c0692201aef4e79da5
SHA1 d3bd0583e13d747c16020f8f3f3f254e7cd39a2c
SHA256 7f75e4f610b51a8320a0e1942155bed7888482eea9d5967232805e46b9561721
SHA512 fed3107670528ffb1dbc5267dbea54a3c74bddad6142753c50937007d7ef383f01d9670f037b25328bc40e113c8a2d7d05bab3588b89414147a777431b6afb96

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q4687438.exe

MD5 f73b3357e1e682c0692201aef4e79da5
SHA1 d3bd0583e13d747c16020f8f3f3f254e7cd39a2c
SHA256 7f75e4f610b51a8320a0e1942155bed7888482eea9d5967232805e46b9561721
SHA512 fed3107670528ffb1dbc5267dbea54a3c74bddad6142753c50937007d7ef383f01d9670f037b25328bc40e113c8a2d7d05bab3588b89414147a777431b6afb96

memory/116-14-0x0000000000320000-0x000000000032A000-memory.dmp

memory/116-15-0x00007FFD66940000-0x00007FFD67401000-memory.dmp

memory/116-17-0x00007FFD66940000-0x00007FFD67401000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe

MD5 27fe097082f52b3ec7b759044ad4e17b
SHA1 71e005dabf4370ab68266196682caa7915f326c0
SHA256 ae0b1d7daae5df1adab405bd037e41aa58107261efc536d6f1c15236fc0b759f
SHA512 99aabd17bb7c63c29d021489be8be09dac082ce584a346403cd472e93111c8c1931a11827b5e7bb3b0ea5566f5504c4df42619418a06152df9c2d7a5629e6f02

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9927096.exe

MD5 27fe097082f52b3ec7b759044ad4e17b
SHA1 71e005dabf4370ab68266196682caa7915f326c0
SHA256 ae0b1d7daae5df1adab405bd037e41aa58107261efc536d6f1c15236fc0b759f
SHA512 99aabd17bb7c63c29d021489be8be09dac082ce584a346403cd472e93111c8c1931a11827b5e7bb3b0ea5566f5504c4df42619418a06152df9c2d7a5629e6f02

memory/3252-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3252-22-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3252-23-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3252-25-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe

MD5 ad16c57165109d65188d097b45db4d63
SHA1 02569eafdc59bebafa84f117d5c6626f1d3f01d9
SHA256 524dc40a05ee0256996f5626923d69b7b610798f8480220695b3277db71b9ec7
SHA512 5e6eafd8ac5376db95b84964c07930fc899ed3e78d2e0cda2d3441cc9eba738c59ad61d3d2993b48bd71e47d4f3de1c055ec4a07ecdc23091f2b32023f6cdd88

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0008370.exe

MD5 ad16c57165109d65188d097b45db4d63
SHA1 02569eafdc59bebafa84f117d5c6626f1d3f01d9
SHA256 524dc40a05ee0256996f5626923d69b7b610798f8480220695b3277db71b9ec7
SHA512 5e6eafd8ac5376db95b84964c07930fc899ed3e78d2e0cda2d3441cc9eba738c59ad61d3d2993b48bd71e47d4f3de1c055ec4a07ecdc23091f2b32023f6cdd88

memory/5060-29-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5060-30-0x0000000073A90000-0x0000000074240000-memory.dmp

memory/5060-31-0x0000000007B80000-0x0000000008124000-memory.dmp

memory/5060-32-0x0000000007670000-0x0000000007702000-memory.dmp

memory/5060-33-0x0000000007900000-0x0000000007910000-memory.dmp

memory/5060-34-0x0000000007860000-0x000000000786A000-memory.dmp

memory/5060-35-0x0000000008750000-0x0000000008D68000-memory.dmp

memory/5060-36-0x0000000007A20000-0x0000000007B2A000-memory.dmp

memory/5060-37-0x0000000007940000-0x0000000007952000-memory.dmp

memory/5060-38-0x00000000079A0000-0x00000000079DC000-memory.dmp

memory/5060-39-0x0000000007B30000-0x0000000007B7C000-memory.dmp

memory/5060-40-0x0000000073A90000-0x0000000074240000-memory.dmp

memory/5060-41-0x0000000007900000-0x0000000007910000-memory.dmp