Overview

overview

10

Static

static

3

21d0424a13...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2023 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe

  • Size

    527KB

  • MD5

    a3d6afc43a4d86712ffe2aa629160fb9

  • SHA1

    561484ebca46ed027eea54a73d07495ecda444e3

  • SHA256

    21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe

  • SHA512

    eacb347f07ad989f9329ea4b7c69fdf6ac585b94dc815b0f233389e5ea940f43dd179fec0ed43a9bd2685d7cb80a3345db3a6fa9f6c96e1c6c35daf7b2253891

  • SSDEEP

    12288:rMrZy90zvE6M60ko89xfzw+fvv2SYwM/7M55ht/Q4g:ay0t5o8Tw+fv9YwmghQz

Score
10/10
healermysticredlinegruhadropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe
    "C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4164
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4376
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:32
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 540
                5⤵
                • Program crash
                PID:1336
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 152
              4⤵
              • Program crash
              PID:2244
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:5020
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:4200
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 152
              3⤵
              • Program crash
              PID:3568
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1484 -ip 1484
          1⤵
            PID:3280
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 32 -ip 32
            1⤵
              PID:564
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5020 -ip 5020
              1⤵
                PID:2172

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Modify Registry

              3
              T1112

              Impair Defenses

              2
              T1562

              Disable or Modify Tools

              2
              T1562.001

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe
                Filesize

                310KB

                MD5

                86527f1cd9f4956ba87076c0875a5d91

                SHA1

                e551435216e95b802ba75f79073321ed6655f15c

                SHA256

                d8f105ee220b6e99af532bc281740b57a043bf0bb53cd184e90148d04fef4d14

                SHA512

                9d40dacc49d12e0a341a6f4267c6ccddeac734f8aa8e0fc20d30395ff258ce66c870159e5abd857992ea8243b839bf7adcdc0f319ec7cc45eb9b4634cf09b3fa

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe
                Filesize

                310KB

                MD5

                86527f1cd9f4956ba87076c0875a5d91

                SHA1

                e551435216e95b802ba75f79073321ed6655f15c

                SHA256

                d8f105ee220b6e99af532bc281740b57a043bf0bb53cd184e90148d04fef4d14

                SHA512

                9d40dacc49d12e0a341a6f4267c6ccddeac734f8aa8e0fc20d30395ff258ce66c870159e5abd857992ea8243b839bf7adcdc0f319ec7cc45eb9b4634cf09b3fa

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe
                Filesize

                295KB

                MD5

                ce9e2943c4562f0ca2295319470450dd

                SHA1

                116e75a0e819aa36e422fe1027e6ac879afdd858

                SHA256

                4ac99fae79d6b54ea4e1ff1b147d8648a7e0e93ba502c09520fc7d41807b865e

                SHA512

                a15f0d6afe1def5f01326ffc5f7e56ccb747e387f1b47f13cc99140ee1050b3a3b2c754a0395daafebcbc9399539a534066a20d8590fdeb88246b89ec287d82a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe
                Filesize

                295KB

                MD5

                ce9e2943c4562f0ca2295319470450dd

                SHA1

                116e75a0e819aa36e422fe1027e6ac879afdd858

                SHA256

                4ac99fae79d6b54ea4e1ff1b147d8648a7e0e93ba502c09520fc7d41807b865e

                SHA512

                a15f0d6afe1def5f01326ffc5f7e56ccb747e387f1b47f13cc99140ee1050b3a3b2c754a0395daafebcbc9399539a534066a20d8590fdeb88246b89ec287d82a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe
                Filesize

                11KB

                MD5

                76989d4a2115b82a2049cdb33100157a

                SHA1

                a88856b86bd4d4740012517c0fbfdebaccebe04a

                SHA256

                fa80a2a8759ff817e06922be933215968a162f55089cd6f26190648fffb15be4

                SHA512

                19719e3eed92c9d907ae53f7d9f77c6421f78d7c6c4094ea87b195f80816a474b124472a0fef4f5bd66eac4939fc89f885332b3a56912b18c4e694b9980107b6

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe
                Filesize

                11KB

                MD5

                76989d4a2115b82a2049cdb33100157a

                SHA1

                a88856b86bd4d4740012517c0fbfdebaccebe04a

                SHA256

                fa80a2a8759ff817e06922be933215968a162f55089cd6f26190648fffb15be4

                SHA512

                19719e3eed92c9d907ae53f7d9f77c6421f78d7c6c4094ea87b195f80816a474b124472a0fef4f5bd66eac4939fc89f885332b3a56912b18c4e694b9980107b6

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe
                Filesize

                276KB

                MD5

                2befaa9683c4c672ffd2eb9fe9a80782

                SHA1

                04ec4e0ea3e2f104673b721844dd77674b890839

                SHA256

                3b1a7d89461bd526930e994886400dafb69bc8fa88ee1cd5fa53a734cd2ee71f

                SHA512

                f8943820277cbfb0d7becaa63f43bc82013ee074fb4e20f682297c9edc056d3c02f1ed60c9645ea88c03a65a86d2790dce4d48813cfda65792c1164757a1f2a9

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe
                Filesize

                276KB

                MD5

                2befaa9683c4c672ffd2eb9fe9a80782

                SHA1

                04ec4e0ea3e2f104673b721844dd77674b890839

                SHA256

                3b1a7d89461bd526930e994886400dafb69bc8fa88ee1cd5fa53a734cd2ee71f

                SHA512

                f8943820277cbfb0d7becaa63f43bc82013ee074fb4e20f682297c9edc056d3c02f1ed60c9645ea88c03a65a86d2790dce4d48813cfda65792c1164757a1f2a9

                Download Submit
              • memory/32-24-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/32-26-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/32-22-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/32-23-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/2192-16-0x00007FFB13B70000-0x00007FFB14631000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2192-18-0x00007FFB13B70000-0x00007FFB14631000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2192-15-0x00007FFB13B70000-0x00007FFB14631000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2192-14-0x0000000000CA0000-0x0000000000CAA000-memory.dmp
                Filesize

                40KB

                Download
              • memory/4200-33-0x0000000006080000-0x0000000006698000-memory.dmp
                Filesize

                6.1MB

                Download
              • memory/4200-31-0x0000000073A70000-0x0000000074220000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/4200-32-0x0000000003380000-0x0000000003386000-memory.dmp
                Filesize

                24KB

                Download
              • memory/4200-30-0x0000000000400000-0x0000000000430000-memory.dmp
                Filesize

                192KB

                Download
              • memory/4200-34-0x0000000005B70000-0x0000000005C7A000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/4200-35-0x0000000005950000-0x0000000005960000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4200-36-0x00000000058E0000-0x00000000058F2000-memory.dmp
                Filesize

                72KB

                Download
              • memory/4200-37-0x0000000005A60000-0x0000000005A9C000-memory.dmp
                Filesize

                240KB

                Download
              • memory/4200-38-0x0000000005AA0000-0x0000000005AEC000-memory.dmp
                Filesize

                304KB

                Download
              • memory/4200-39-0x0000000073A70000-0x0000000074220000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/4200-40-0x0000000005950000-0x0000000005960000-memory.dmp
                Filesize

                64KB

                Download