Malware Analysis Report

2024-10-24 19:57

Sample ID 231103-epvlzsdg67
Target 21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe
SHA256 21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe
Tags
healer mystic redline gruha dropper evasion infostealer persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe

Threat Level: Known bad

The file 21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe was found to be: Known bad.

Malicious Activity Summary

healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Detects Healer an antivirus disabler dropper

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

Mystic

Detect Mystic stealer payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-03 04:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-03 04:07

Reported

2023-11-03 04:10

Platform

win10v2004-20231020-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe
PID 1508 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe
PID 1508 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe
PID 4164 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe
PID 4164 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe
PID 4164 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe
PID 4164 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe
PID 4164 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe
PID 1484 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1484 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1508 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe
PID 1508 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe
PID 1508 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe
PID 5020 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe

"C:\Users\Admin\AppData\Local\Temp\21d0424a130446325a54c1d1ebb06f55f1342d911554ef5d56a5d490d4b3acbe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 32 -ip 32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 152

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe

MD5 ce9e2943c4562f0ca2295319470450dd
SHA1 116e75a0e819aa36e422fe1027e6ac879afdd858
SHA256 4ac99fae79d6b54ea4e1ff1b147d8648a7e0e93ba502c09520fc7d41807b865e
SHA512 a15f0d6afe1def5f01326ffc5f7e56ccb747e387f1b47f13cc99140ee1050b3a3b2c754a0395daafebcbc9399539a534066a20d8590fdeb88246b89ec287d82a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7507389.exe

MD5 ce9e2943c4562f0ca2295319470450dd
SHA1 116e75a0e819aa36e422fe1027e6ac879afdd858
SHA256 4ac99fae79d6b54ea4e1ff1b147d8648a7e0e93ba502c09520fc7d41807b865e
SHA512 a15f0d6afe1def5f01326ffc5f7e56ccb747e387f1b47f13cc99140ee1050b3a3b2c754a0395daafebcbc9399539a534066a20d8590fdeb88246b89ec287d82a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe

MD5 76989d4a2115b82a2049cdb33100157a
SHA1 a88856b86bd4d4740012517c0fbfdebaccebe04a
SHA256 fa80a2a8759ff817e06922be933215968a162f55089cd6f26190648fffb15be4
SHA512 19719e3eed92c9d907ae53f7d9f77c6421f78d7c6c4094ea87b195f80816a474b124472a0fef4f5bd66eac4939fc89f885332b3a56912b18c4e694b9980107b6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q1712604.exe

MD5 76989d4a2115b82a2049cdb33100157a
SHA1 a88856b86bd4d4740012517c0fbfdebaccebe04a
SHA256 fa80a2a8759ff817e06922be933215968a162f55089cd6f26190648fffb15be4
SHA512 19719e3eed92c9d907ae53f7d9f77c6421f78d7c6c4094ea87b195f80816a474b124472a0fef4f5bd66eac4939fc89f885332b3a56912b18c4e694b9980107b6

memory/2192-14-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

memory/2192-15-0x00007FFB13B70000-0x00007FFB14631000-memory.dmp

memory/2192-16-0x00007FFB13B70000-0x00007FFB14631000-memory.dmp

memory/2192-18-0x00007FFB13B70000-0x00007FFB14631000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe

MD5 2befaa9683c4c672ffd2eb9fe9a80782
SHA1 04ec4e0ea3e2f104673b721844dd77674b890839
SHA256 3b1a7d89461bd526930e994886400dafb69bc8fa88ee1cd5fa53a734cd2ee71f
SHA512 f8943820277cbfb0d7becaa63f43bc82013ee074fb4e20f682297c9edc056d3c02f1ed60c9645ea88c03a65a86d2790dce4d48813cfda65792c1164757a1f2a9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8788629.exe

MD5 2befaa9683c4c672ffd2eb9fe9a80782
SHA1 04ec4e0ea3e2f104673b721844dd77674b890839
SHA256 3b1a7d89461bd526930e994886400dafb69bc8fa88ee1cd5fa53a734cd2ee71f
SHA512 f8943820277cbfb0d7becaa63f43bc82013ee074fb4e20f682297c9edc056d3c02f1ed60c9645ea88c03a65a86d2790dce4d48813cfda65792c1164757a1f2a9

memory/32-22-0x0000000000400000-0x0000000000428000-memory.dmp

memory/32-23-0x0000000000400000-0x0000000000428000-memory.dmp

memory/32-24-0x0000000000400000-0x0000000000428000-memory.dmp

memory/32-26-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe

MD5 86527f1cd9f4956ba87076c0875a5d91
SHA1 e551435216e95b802ba75f79073321ed6655f15c
SHA256 d8f105ee220b6e99af532bc281740b57a043bf0bb53cd184e90148d04fef4d14
SHA512 9d40dacc49d12e0a341a6f4267c6ccddeac734f8aa8e0fc20d30395ff258ce66c870159e5abd857992ea8243b839bf7adcdc0f319ec7cc45eb9b4634cf09b3fa

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0981532.exe

MD5 86527f1cd9f4956ba87076c0875a5d91
SHA1 e551435216e95b802ba75f79073321ed6655f15c
SHA256 d8f105ee220b6e99af532bc281740b57a043bf0bb53cd184e90148d04fef4d14
SHA512 9d40dacc49d12e0a341a6f4267c6ccddeac734f8aa8e0fc20d30395ff258ce66c870159e5abd857992ea8243b839bf7adcdc0f319ec7cc45eb9b4634cf09b3fa

memory/4200-30-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4200-31-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/4200-32-0x0000000003380000-0x0000000003386000-memory.dmp

memory/4200-33-0x0000000006080000-0x0000000006698000-memory.dmp

memory/4200-34-0x0000000005B70000-0x0000000005C7A000-memory.dmp

memory/4200-35-0x0000000005950000-0x0000000005960000-memory.dmp

memory/4200-36-0x00000000058E0000-0x00000000058F2000-memory.dmp

memory/4200-37-0x0000000005A60000-0x0000000005A9C000-memory.dmp

memory/4200-38-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

memory/4200-39-0x0000000073A70000-0x0000000074220000-memory.dmp

memory/4200-40-0x0000000005950000-0x0000000005960000-memory.dmp