Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 01:49
Static task
static1
General
-
Target
811f66fa14f932f74f348ec0471cf030.exe
-
Size
217KB
-
MD5
811f66fa14f932f74f348ec0471cf030
-
SHA1
45e99adf9a858d66bc4f9711664f554c7645e965
-
SHA256
31a0f98c37f0acc09888796e5a3829ee1478723d2005a67d531c13c9d419937a
-
SHA512
064808e14a1ed0878b8fca3002f458716b32c45706d128e6f3c5af78b299341b0b8ceded00a5be91d40af977adb08d648d03a8f8c540bc64ec3e447e371f76fd
-
SSDEEP
6144:KSy+bnr+Op0yN90QEzsUl1Xs93Le+Ixlh7:uMryy90ZsUc93LylB
Malware Config
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023415-11.dat mystic_family -
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000a00000002340b-5.dat healer behavioral1/memory/3700-8-0x0000000000250000-0x000000000025A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a3320313.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3320313.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3320313.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3320313.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3320313.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3320313.exe -
Executes dropped EXE 2 IoCs
pid Process 3700 a3320313.exe 5036 b1949194.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a3320313.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 811f66fa14f932f74f348ec0471cf030.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3700 a3320313.exe 3700 a3320313.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3700 a3320313.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4104 wrote to memory of 3700 4104 811f66fa14f932f74f348ec0471cf030.exe 81 PID 4104 wrote to memory of 3700 4104 811f66fa14f932f74f348ec0471cf030.exe 81 PID 4104 wrote to memory of 5036 4104 811f66fa14f932f74f348ec0471cf030.exe 90 PID 4104 wrote to memory of 5036 4104 811f66fa14f932f74f348ec0471cf030.exe 90 PID 4104 wrote to memory of 5036 4104 811f66fa14f932f74f348ec0471cf030.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\811f66fa14f932f74f348ec0471cf030.exe"C:\Users\Admin\AppData\Local\Temp\811f66fa14f932f74f348ec0471cf030.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3320313.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3320313.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1949194.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1949194.exe2⤵
- Executes dropped EXE
PID:5036
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD56780bb773720356614708151debfb753
SHA100149b9531555bcbecbe28a0169d7ad1a2558121
SHA2568b401bd46fa294627f5252d03edb27770cd0c5009f25e9dd5b66d6e547fed355
SHA5122caa8f54e7b8f294d302ef79df250e6651e0ad0325b09cc5e06c0cf13865e3b45a1720dee2a159b745ff7fb48944b36d2fdc59d99d9e51042a4172abbf01e859
-
Filesize
140KB
MD5712b02c03591a245e6ab488de6244708
SHA15d59cebe9fd0c3baa29250af0a6c2de9369f022e
SHA25603b4a0027f08caf78d560dc8141a09f9c289d025d1607cb9faa2ff3f7a5cb6b9
SHA5122a187f40dc693eb0a70c51c1b862bf24130546d154e8e0d0dcf899ab3a94a48bf2f8d035074379068bd5281a1b57443387f5e34be3600cc99cc59bbb1cb4c742