healer | 47889c48da4c5e390f10c04d8390b2c5d9f68bec127bf0e18bbe686b9079b922

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe
Size

490KB
MD5

e0f4a803421ae7cf8f3ec6b79f4e6644
SHA1

879c5d1acd49dc1de7a5038961b6a176bd32be94
SHA256

7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd
SHA512

a77d1a1f049c018be195de927b94de1465c0e51020232f5307d567ee994abac101208796e01d0bd4f7064c7d8d2bea2b9a73f8543dbacf4f878a9b8faa31ee83
SSDEEP

12288:YMrfy90TEL3H7cAAP1fbuq6Sn5ZM+eLtR6:ny13IzCq6Sn5G+eLtR6

Score

10^/10

healer mystic smokeloader backdoor dropper evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral13/memory/3244-24-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral13/memory/3244-25-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral13/memory/3244-27-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral13/files/0x0008000000023440-12.dat	healer
behavioral13/memory/944-14-0x00000000008A0000-0x00000000008AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1mo64pt1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1mo64pt1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1mo64pt1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1mo64pt1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1mo64pt1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1mo64pt1.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
336	lf7vs80.exe
944	1mo64pt1.exe
3932	2rn8858.exe
4344	3VR83ec.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1mo64pt1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	lf7vs80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3932 set thread context of 4868	3932	2rn8858.exe	98
PID 4344 set thread context of 3244	4344	3VR83ec.exe	104

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2932	3932	WerFault.exe	95
1700	4344	WerFault.exe	102

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
944	1mo64pt1.exe
944	1mo64pt1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	1mo64pt1.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 336	3712	7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe	82
PID 3712 wrote to memory of 336	3712	7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe	82
PID 3712 wrote to memory of 336	3712	7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe	82
PID 336 wrote to memory of 944	336	lf7vs80.exe	83
PID 336 wrote to memory of 944	336	lf7vs80.exe	83
PID 336 wrote to memory of 3932	336	lf7vs80.exe	95
PID 336 wrote to memory of 3932	336	lf7vs80.exe	95
PID 336 wrote to memory of 3932	336	lf7vs80.exe	95
PID 3932 wrote to memory of 4744	3932	2rn8858.exe	97
PID 3932 wrote to memory of 4744	3932	2rn8858.exe	97
PID 3932 wrote to memory of 4744	3932	2rn8858.exe	97
PID 3932 wrote to memory of 4868	3932	2rn8858.exe	98
PID 3932 wrote to memory of 4868	3932	2rn8858.exe	98
PID 3932 wrote to memory of 4868	3932	2rn8858.exe	98
PID 3932 wrote to memory of 4868	3932	2rn8858.exe	98
PID 3932 wrote to memory of 4868	3932	2rn8858.exe	98
PID 3932 wrote to memory of 4868	3932	2rn8858.exe	98
PID 3712 wrote to memory of 4344	3712	7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe	102
PID 3712 wrote to memory of 4344	3712	7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe	102
PID 3712 wrote to memory of 4344	3712	7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe	102
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104
PID 4344 wrote to memory of 3244	4344	3VR83ec.exe	104

C:\Users\Admin\AppData\Local\Temp\7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe
"C:\Users\Admin\AppData\Local\Temp\7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lf7vs80.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lf7vs80.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mo64pt1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mo64pt1.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2rn8858.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2rn8858.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Checks SCSI registry key(s)
      PID:4868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 616
      4⤵
      Program crash
      PID:2932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3VR83ec.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3VR83ec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 152
    3⤵
    - Program crash
    PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3932 -ip 3932
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4344 -ip 4344
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3VR83ec.exe

Filesize
285KB

MD5
4857564c4f915db2e05b86f8d3aaa8d5

SHA1
19fa7769475a5f25d0aa0112a8deaa3bb491a55a

SHA256
df243004cdb7bd239defd6085631357e6ec12ff4631ae96a2be2a661d2509ec3

SHA512
b6934cb88e03c134aff18f82299fa9420be59445c929f5a076d7609067729efaa39f908ea31ecce02d036dd84a599742061373ca25156b52084b1f2c51a5f444

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lf7vs80.exe

Filesize
248KB

MD5
c4ac9d6c522c95e1e93aba4c4aa3fdd5

SHA1
9008a4934ed242ab356778843c09babd4113ef78

SHA256
662f398e8091ccc4bdd7634d852d8be2f818508950739d642859eb725f090fd3

SHA512
9c78ab38dd4e0006471b925b496c83d5e0843fb5e10241283a7ac75c9efb9c6c887744ae8666866f63509a1c9869577f4c8147805dd03f2ec0defee0a0e23c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mo64pt1.exe

Filesize
12KB

MD5
76a340002dd78e493c77072d011742a6

SHA1
8c228a72586a68ed08a66398865414070171782b

SHA256
8d38bfbaab1e977e27444bd4055630ce14685811b7b0595dfe5fbc5e08ac3ec1

SHA512
1f833f39cd12235dfe381b06e29fc76e6980e73aae44b1ce3098dd2074d87a7d57cca9555ae69b01deeeb295f16608a5787f9d3d5210d73bd78ecb64124edf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2rn8858.exe

Filesize
175KB

MD5
f8dbfa9ac5dee6c7a21c9db4eef38608

SHA1
fd920470d0b2720bc1a6fa473f1654ca1fe60cb2

SHA256
fe0adc1a700eb1bf5685f0a0e40ce264d5a9ecd4ddefb0429d13ad7e0df606da

SHA512
0e134d4033bc2ce7b545d7abc43c094ea0a48532e246ca32f999bc1d0aa708f4e941426ded22b034def980fa84189809192fd3915f28df5cb981688c74bb53bb

Download Submit
memory/944-14-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/944-15-0x00007FFD42293000-0x00007FFD42295000-memory.dmp

Filesize
8KB

Download
memory/3244-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3244-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3244-27-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4868-20-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download