Overview

overview

10

Static

static

3

NEAS.f53a9...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2023 02:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.f53a98f06fe1d974a2bdba44efee8d50.exe

  • Size

    491KB

  • MD5

    f53a98f06fe1d974a2bdba44efee8d50

  • SHA1

    a4933df2002645169bf956ae6b5f656e77e30576

  • SHA256

    c86839815d01abe72d7176a985bece846724409453d19c6d6d0978d89a07e98c

  • SHA512

    832c3b7055f32773ae87343e3b9ad1af1559dc1453e2594dcedc0acdff0400083508473a3af52eb802cfa68e8c87768d611980fb96d0c8aa9b146e554adb137a

  • SSDEEP

    12288:ZMrwy901uXbQFtUfYFktimfq2ZbGtTPyqFDbJZz:tyyUYqwhdtTPyEDdt

Score
10/10
healermysticdropperevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f53a98f06fe1d974a2bdba44efee8d50.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f53a98f06fe1d974a2bdba44efee8d50.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q4880156.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q4880156.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 148
        3⤵
        • Program crash
        PID:2404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r6633854.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r6633854.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2784
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:4808
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:4556
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 540
                4⤵
                • Program crash
                PID:4288
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 152
              3⤵
              • Program crash
              PID:3748
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 912
          1⤵
            PID:2232
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2528 -ip 2528
            1⤵
              PID:3116
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4556 -ip 4556
              1⤵
                PID:2324

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q4880156.exe
                Filesize

                860KB

                MD5

                f11b209b260aa99db74a9ba46e6b8397

                SHA1

                ba575179a0bc477e002bc00f67d3a3e420dc0b6c

                SHA256

                327b33011a018ab26a5e2692fb5ebe4089515a4e637a4454223502233d236cb8

                SHA512

                831147d228a6c81d95390d31b33e2393321665d8693ee19a3ff789587e169a1770d698840565e37503752ec825ef3138540f47cf5849ab7ace4fbcbadea99ac9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q4880156.exe
                Filesize

                860KB

                MD5

                f11b209b260aa99db74a9ba46e6b8397

                SHA1

                ba575179a0bc477e002bc00f67d3a3e420dc0b6c

                SHA256

                327b33011a018ab26a5e2692fb5ebe4089515a4e637a4454223502233d236cb8

                SHA512

                831147d228a6c81d95390d31b33e2393321665d8693ee19a3ff789587e169a1770d698840565e37503752ec825ef3138540f47cf5849ab7ace4fbcbadea99ac9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r6633854.exe
                Filesize

                1016KB

                MD5

                5fad4f58c4ae0c375203fcd64c1c84cd

                SHA1

                0a31ecd31a7c81ba5ee4219aba698957a92d9135

                SHA256

                2e825f435b02ef57f8a571c331109abb7150f3627ca07096fb37bf9c5564b5c5

                SHA512

                9db2b7f02dc9dc2047360b4cb6b58866c1046cd2a7795f3e85cf6d1ffae8644d81ac811178d5034e1c47e737cf7a0045dee72688c656f1bcc494d4a608ce032e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r6633854.exe
                Filesize

                1016KB

                MD5

                5fad4f58c4ae0c375203fcd64c1c84cd

                SHA1

                0a31ecd31a7c81ba5ee4219aba698957a92d9135

                SHA256

                2e825f435b02ef57f8a571c331109abb7150f3627ca07096fb37bf9c5564b5c5

                SHA512

                9db2b7f02dc9dc2047360b4cb6b58866c1046cd2a7795f3e85cf6d1ffae8644d81ac811178d5034e1c47e737cf7a0045dee72688c656f1bcc494d4a608ce032e

                Download Submit

              • memory/2492-7-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2492-8-0x0000000073AF0000-0x00000000742A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2492-9-0x0000000073AF0000-0x00000000742A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2492-19-0x0000000073AF0000-0x00000000742A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4556-13-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4556-14-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4556-15-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4556-17-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download