Overview

overview

10

Static

static

3

8d83b744ad...JC.exe

windows7-x64

10

8d83b744ad...JC.exe

windows10-1703-x64

10

8d83b744ad...JC.exe

windows10-2004-x64

10

8d83b744ad...JC.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 13:51

240409-q52wsagf78 10

09-04-2024 13:51

240409-q5199agf77 10

09-04-2024 13:51

240409-q5zfnaca3y 10

09-04-2024 13:51

240409-q5y5wsca3x 10

02-09-2023 11:46

230902-nxm2jscg99 10

Analysis

  • max time kernel
    279s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe

  • Size

    820KB

  • MD5

    865c99ae19817cac9d40b35202f6f453

  • SHA1

    980d4e8229c3d7a6bf02596047a015c32d9210e3

  • SHA256

    8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b

  • SHA512

    091016e9888850d673d096090ad87563eb721cbcc311ca0fb4f0948f78f6679363795463081ae335b43061a1b1793c36b2bd1a0f7fe797cf6380303b98648458

  • SSDEEP

    12288:KMrWy90uxp7VpGrXpmKepnfpz4Ahwpkb7cCUOE1RZyYrB8MB1xZhxH0:Qyhp2pm9FBz4AhwpksCHGYYdd7U

Score
10/10
healermysticredlinesrutadropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sruta

C2

77.91.124.82:19071

Attributes
  • auth_value

    c556edcd49703319eca74247de20c236

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:236
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4332
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3204
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1104
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe
              6⤵
              • Executes dropped EXE
              PID:4288
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe
            5⤵
            • Executes dropped EXE
            PID:1268
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2672

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe
      Filesize

      723KB

      MD5

      4d28a06bc7d389a286f2324caddf1e8c

      SHA1

      59af85cf36a459027b9292d8b73aec4f429ea328

      SHA256

      ac7fefffe24659c5db14a2bb4cc432004020acc268884bc518c6a142f0d8f5c2

      SHA512

      0538c7e09c9253b48d2c503e2dc58c55662d28284aad9c485cfd68582cc9eafa84850b28a517b0b3b5a19b67bddd5b69edc54112889fda881da50fb7b310e45c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe
      Filesize

      497KB

      MD5

      1e0e32b87a93e15353432ccc538eab1f

      SHA1

      0d3e5f322b3595400fd5587e9e30dee9c01cf6f4

      SHA256

      3b754180b1912716d9cf97762322f660fc3b5a599c41f09287a63ed2db764702

      SHA512

      f8b75ddbb5d5b7956d975e3e8052c62d866b0c07de63c93fbc1f064d27f737de92d2b05f104910f0522c874afb0655770e67b3504dcde641be5b3085ed1446b1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe
      Filesize

      372KB

      MD5

      cc451ca9b12129e2af20c19f8c0b462d

      SHA1

      657c7c98063b2937e6fb7516f73a31beaeaa8a82

      SHA256

      e464ba3d27af55732f7be815fb3899287c808b69dd5221adbe20f945a78b0455

      SHA512

      159d56c233d25321117a3179d894161ce2bc7b3cb2979c0884e726d2ed89899999c423d83e4f6278f9fea77c621bef2544b02ce54c41d5eba81f4a8ab7604af4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe
      Filesize

      175KB

      MD5

      b63224b9575d147711fa843872a4b52f

      SHA1

      bcbd067ca7570fa86276639a51f83acb871ba0a9

      SHA256

      6f5abaf57c657b33940a7564e780e4708227921f95ae46ca3c48c8ef9de12932

      SHA512

      97335a1a366b00e5df40dddbb25d91981b69f8fffdf90a55b95fb1bb978ed06ec4ca92334a45dfc276a88f0102e88f7d3c9c246160dd2925576505c24f3ced26

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe
      Filesize

      217KB

      MD5

      a6c0a7109e1a0ea3364630b92deeda95

      SHA1

      1fe78c74047f279afca45340c6dfd9fc307b4361

      SHA256

      992d938558305206821d24cf8180ce06ff290309b4c4ef8eab13a6ec3a910c97

      SHA512

      20165dac6c17fbc51ce5b05969b318aaee1cf8dd83ab5133775fc14e404448a2ac633d0dad3ea9421cb8b72dda1f65e798db5610de6d12891217a15bb481a640

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe
      Filesize

      18KB

      MD5

      952034a560be61e4d921f508df8a162b

      SHA1

      1b559a970c6b61dbdf0fbd13d38b150e015a5719

      SHA256

      028936f58c1e1504c9481a7c3da88c682e3d860ae96576305100ab0ccb954b70

      SHA512

      3708633775200299ce1da7402f5530afade06012092d986a0989fc2c1f4fa0f6b47f16a3bcdcaefa6b2ccc8ec0df8246a1faf56c688de006883485b5b65897f8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe
      Filesize

      140KB

      MD5

      605d09ec259bdf6742ec4d801757f71b

      SHA1

      310b4e0464dc29061c9c3257798bad7905e72038

      SHA256

      2766f4e42fec4fdf0a7cfa874d2eb127a18ca9ddedfeaa987e7175df82bd4927

      SHA512

      a581a00b5b3e5f83d19a045a5ce6e1171f2d33a35d30aa655581779cef82017abb61f9d4701d16db7a570ba0b74be1a4e5a5ecbe2d8d7a783ea921ec40160d14

      Download Submit
    • memory/1104-35-0x0000000000290000-0x000000000029A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1104-36-0x00007FF912E40000-0x00007FF913901000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1104-38-0x00007FF912E40000-0x00007FF913901000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1268-46-0x0000000074490000-0x0000000074C40000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1268-45-0x00000000008E0000-0x0000000000910000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1268-47-0x0000000005100000-0x0000000005106000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1268-48-0x000000000AD80000-0x000000000B398000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1268-49-0x000000000A890000-0x000000000A99A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1268-50-0x000000000A7D0000-0x000000000A7E2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1268-51-0x00000000051D0000-0x00000000051E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1268-52-0x000000000A830000-0x000000000A86C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1268-53-0x000000000A9A0000-0x000000000A9EC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1268-54-0x0000000074490000-0x0000000074C40000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1268-55-0x00000000051D0000-0x00000000051E0000-memory.dmp
      Filesize

      64KB

      Download