Overview

overview

10

Static

static

3

382a6e0a08...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-04-2024 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    382a6e0a0801a10f3559789811792b7dcd1d919c96d09e2acc3d5817790877df.exe

  • Size

    526KB

  • MD5

    7b7fa3fa05d2195e3c826165047d191c

  • SHA1

    585082204f514352a5f74e87e2b1d75cb61028cb

  • SHA256

    382a6e0a0801a10f3559789811792b7dcd1d919c96d09e2acc3d5817790877df

  • SHA512

    e8f9f2b248edb3a3487ac070e61c4125e76804c3f6bb6bb3e9502a162e036d945d1bd0f1508be4a9d79f59f4805561497f451650e69c8d5afd5056f689f24455

  • SSDEEP

    12288:wMrgy90Fz/fTJtuZmPDm0ARcbBHMcPeyFq6GGB5KP:AyYTuZwD/ccPGKBKP

Score
10/10
healermysticredlinegruhadropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs
  • Detects executables packed with ConfuserEx Mod 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\382a6e0a0801a10f3559789811792b7dcd1d919c96d09e2acc3d5817790877df.exe
    "C:\Users\Admin\AppData\Local\Temp\382a6e0a0801a10f3559789811792b7dcd1d919c96d09e2acc3d5817790877df.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4673185.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4673185.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q7765974.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q7765974.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1472
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2796540.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2796540.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3608
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 540
              5⤵
              • Program crash
              PID:4668
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 152
            4⤵
            • Program crash
            PID:3344
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2785043.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2785043.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:2356
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 152
            3⤵
            • Program crash
            PID:2308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4640 -ip 4640
        1⤵
          PID:1588
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3608 -ip 3608
          1⤵
            PID:5048
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1236 -ip 1236
            1⤵
              PID:1640

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2785043.exe
              Filesize

              310KB

              MD5

              6ed183ac5c3d07c9fe1842a5d71b2eb8

              SHA1

              eabad50dc71cbe324d6e5a2bb99a30e6694c88a3

              SHA256

              035025a13c06fcd87553f68f7e97838d3858b7b1e0ecfc9d4e2654077b452b3d

              SHA512

              f9bc742f50736e0399e91bcded2793a06b0b74f34c35c30013eeab8aadde2fa57829e8b0347fea07a1bd36cd481aba5aa01fa96cdfc716d8de12037cf6b76726

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4673185.exe
              Filesize

              296KB

              MD5

              3b68417945578195a3df5d3142811db0

              SHA1

              79a78301f6011127914aaf3de88c121345a3d7c3

              SHA256

              f894040a843df87dae9a4cdf4d0e611eb1504ba82716ed1ebe86eb8ef07da111

              SHA512

              f754b1e78060cf03e40e0431e7882fec4f8145eadae0fe2a68532ba7d78f8f185fad8b2ef26e979ea11a0a50a88864a82fca06b4247451672d94d7bab9e4bfd4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q7765974.exe
              Filesize

              11KB

              MD5

              12d98f3000af27fdfca20f1af7541361

              SHA1

              136e8999ad6e024bbde29a5c75c9d4cf47ac2ac6

              SHA256

              cd5e91956a19343419a65eb45c5388b577ff39fbdc75951ff585e1c68ac7a413

              SHA512

              0b54fe7b6b8b4a90da154286143ad12e788ce403dfdd7a3607c9af8eeb905e1008f68804f8e9ee72154f70561b5ab843d5bf00a2f2aaf2d21b191c70c5aa634b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2796540.exe
              Filesize

              276KB

              MD5

              879e771f3b81012db6cc6c4c035442c1

              SHA1

              359fd80a794a4f9120fd24e0877a71a1a0a9e8a3

              SHA256

              ef8bfc7607f43e580c360c060e5baad0f548153b8af20035ecebb1eff3c58b44

              SHA512

              a76920497d11257a0945e419ea642583363bb91978f37c1510abd629ea51bc2befcc48098e8167dc9df1e29520af7f82cf92cd156b79d87f8026cfac03a15d26

              Download Submit

            • memory/1472-14-0x00000000004F0000-0x00000000004FA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1472-15-0x00007FFFD8F50000-0x00007FFFD9A11000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1472-17-0x00007FFFD8F50000-0x00007FFFD9A11000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2356-34-0x000000000AAE0000-0x000000000AAF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2356-32-0x000000000B050000-0x000000000B668000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2356-39-0x0000000005560000-0x0000000005570000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2356-38-0x0000000073BE0000-0x0000000074390000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2356-29-0x0000000000400000-0x0000000000430000-memory.dmp

              Filesize

              192KB

              Download

            • memory/2356-31-0x0000000073BE0000-0x0000000074390000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2356-30-0x0000000005520000-0x0000000005526000-memory.dmp

              Filesize

              24KB

              Download

            • memory/2356-37-0x0000000002EB0000-0x0000000002EFC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2356-33-0x000000000ABB0000-0x000000000ACBA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/2356-36-0x000000000AB40000-0x000000000AB7C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2356-35-0x0000000005560000-0x0000000005570000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3608-21-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3608-23-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3608-22-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3608-25-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download