Overview

overview

10

Static

static

3

811f66fa14...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 01:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    811f66fa14f932f74f348ec0471cf030.exe

  • Size

    217KB

  • MD5

    811f66fa14f932f74f348ec0471cf030

  • SHA1

    45e99adf9a858d66bc4f9711664f554c7645e965

  • SHA256

    31a0f98c37f0acc09888796e5a3829ee1478723d2005a67d531c13c9d419937a

  • SHA512

    064808e14a1ed0878b8fca3002f458716b32c45706d128e6f3c5af78b299341b0b8ceded00a5be91d40af977adb08d648d03a8f8c540bc64ec3e447e371f76fd

  • SSDEEP

    6144:KSy+bnr+Op0yN90QEzsUl1Xs93Le+Ixlh7:uMryy90ZsUc93LylB

Score
10/10
healermysticdropperevasionpersistencestealertrojan

Malware Config

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\811f66fa14f932f74f348ec0471cf030.exe
    "C:\Users\Admin\AppData\Local\Temp\811f66fa14f932f74f348ec0471cf030.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3320313.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3320313.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3700
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1949194.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1949194.exe
      2⤵
      • Executes dropped EXE
      PID:5036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a3320313.exe
    Filesize

    19KB

    MD5

    6780bb773720356614708151debfb753

    SHA1

    00149b9531555bcbecbe28a0169d7ad1a2558121

    SHA256

    8b401bd46fa294627f5252d03edb27770cd0c5009f25e9dd5b66d6e547fed355

    SHA512

    2caa8f54e7b8f294d302ef79df250e6651e0ad0325b09cc5e06c0cf13865e3b45a1720dee2a159b745ff7fb48944b36d2fdc59d99d9e51042a4172abbf01e859

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b1949194.exe
    Filesize

    140KB

    MD5

    712b02c03591a245e6ab488de6244708

    SHA1

    5d59cebe9fd0c3baa29250af0a6c2de9369f022e

    SHA256

    03b4a0027f08caf78d560dc8141a09f9c289d025d1607cb9faa2ff3f7a5cb6b9

    SHA512

    2a187f40dc693eb0a70c51c1b862bf24130546d154e8e0d0dcf899ab3a94a48bf2f8d035074379068bd5281a1b57443387f5e34be3600cc99cc59bbb1cb4c742

    Download Submit

  • memory/3700-7-0x00007FF933113000-0x00007FF933115000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3700-8-0x0000000000250000-0x000000000025A000-memory.dmp

    Filesize

    40KB

    Download