Overview

overview

10

Static

static

3

0314c3cf58...62.exe

windows10-2004-x64

10

142ed11f80...59.exe

windows10-2004-x64

10

1f54336cee...4f.exe

windows10-2004-x64

10

2470f02746...37.exe

windows10-2004-x64

10

357dca1dd0...e2.exe

windows7-x64

10

357dca1dd0...e2.exe

windows10-2004-x64

10

367729c840...03.exe

windows10-2004-x64

10

3ae8cc733e...e3.exe

windows10-2004-x64

10

3ff87c5bd0...30.exe

windows10-2004-x64

10

4157cda315...a6.exe

windows10-2004-x64

10

5f318080c6...ea.exe

windows10-2004-x64

10

620f9ee1b4...8f.exe

windows10-2004-x64

10

6817354347...3a.exe

windows10-2004-x64

10

753cdc12b9...91.exe

windows10-2004-x64

10

a4215d26b6...74.exe

windows10-2004-x64

10

a4375e040f...82.exe

windows10-2004-x64

10

a619ae77d5...2e.exe

windows10-2004-x64

10

aaab139650...12.exe

windows10-2004-x64

10

aefec08eba...49.exe

windows10-2004-x64

10

d12f5fa25c...70.exe

windows10-2004-x64

7

e5b42981fd...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a.exe

  • Size

    633KB

  • MD5

    ade1582c6f516a251b48126cd5f22f55

  • SHA1

    8f2dbe7998b7ca7090eb7b0ad8192ae798b5d488

  • SHA256

    68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a

  • SHA512

    96f1f614d8b2092a16ee69003c1340e9623e5742e09d8956deb368b47078b1be6d1a5a6952e90002732537efc6c6032311fbf66dda0fe79c379704d200f1e1fe

  • SSDEEP

    12288:bMrjy90C6QjVHg1WhG2w6jE9l3bfr0M4rI6pvIlIE4uXIU1/s:oyP6YVHO0G2K/LzoVDE4uXIU1/s

Score
10/10
healermysticredlinegruhadropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a.exe
    "C:\Users\Admin\AppData\Local\Temp\68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6954207.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6954207.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0800690.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0800690.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2652
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4528
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 608
            4⤵
            • Program crash
            PID:3688
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3435926.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3435926.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:3648
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 564
              4⤵
              • Program crash
              PID:3948
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7623519.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7623519.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4568
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:1152
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 592
              3⤵
              • Program crash
              PID:1572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 396 -ip 396
          1⤵
            PID:212
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2868 -ip 2868
            1⤵
              PID:3996
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4568 -ip 4568
              1⤵
                PID:2224
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start wuauserv
                1⤵
                • Launches sc.exe
                PID:3696

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7623519.exe
                Filesize

                413KB

                MD5

                6829efb4da0030cfa94ecdcac2086ff3

                SHA1

                c438c4106b2f3a554297d58b6770a3f4540d8742

                SHA256

                1406b87b7ed715b2e22e5d26ba324b62900483a559f8cdce3364b803d08b8a17

                SHA512

                c443e443d0238ebb5876e0e9c8e77a52e569ac9dca65e3bd02363ffa2a3cbf868ce1364cde4f4f4abaeccd310142e65e18f9232d41164b13cbeed6d223f4e14c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6954207.exe
                Filesize

                355KB

                MD5

                b506c2e70307b288351f84753d07adfb

                SHA1

                6b8e9e36d2d4df7fe63c1b44d26a5be699187112

                SHA256

                92bbf7e7f88810770ec295f64957e195f2199439dc7fe323687f5ef644675168

                SHA512

                54cfaf8d891b04045429a0ef613bbc9dc65415b83b590c0a13b1bd64f620f4ca56db2d1ca0f6a33ea367e9d5af1cb09c794309aba4ff8c68c8327714131d3f77

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0800690.exe
                Filesize

                250KB

                MD5

                8dfd80cf2ff800cceb193b13b91ebcba

                SHA1

                39e4ad8623d87763be1decd29da1fd3b22024604

                SHA256

                0b91e62e241ab2354e6da555313164026de466ef9af888b961e99dffd18c09a2

                SHA512

                8bd5b9d41976c1db1b96988725fd3a77671d3f064e31708d9aae1e282db37ae4d3dd0c132dfbff29004c8f285da1f33a49b684d96b13c8b064c66a07ce385494

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3435926.exe
                Filesize

                379KB

                MD5

                d82df25bfb43f92d3b40e8a2f9653d47

                SHA1

                59f683b525bf05e29bdd20060edada9905f63739

                SHA256

                9c2767a3b910fba2cd0e9ec9e07aa7570da0ea26aa3f19a0d8f986f516476e42

                SHA512

                e6c680083d039b5c3670a9cde4bb8b799b051f0a4cdc14513c1ff274782f449cf5d8816dfd49a4def0effb2094d46e224517f510919727cca53cb145cf4b847d

                Download Submit

              • memory/1152-26-0x0000000000400000-0x0000000000430000-memory.dmp

                Filesize

                192KB

                Download

              • memory/1152-27-0x0000000002A80000-0x0000000002A86000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1152-28-0x000000000AC80000-0x000000000B298000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/1152-29-0x000000000A770000-0x000000000A87A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1152-30-0x000000000A690000-0x000000000A6A2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1152-31-0x000000000A6F0000-0x000000000A72C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/1152-32-0x00000000029C0000-0x0000000002A0C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3648-19-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/3648-22-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/3648-20-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4528-15-0x000000007463E000-0x000000007463F000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4528-14-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download