Overview

overview

10

Static

static

3

a1e5b6abdf...0N.exe

windows10-1703-x64

10

Resubmissions

20-08-2024 16:20

240820-ts5npa1hlg 10

20-08-2024 15:13

240820-slvpgayepd 10

Analysis

  • max time kernel
    27s
  • max time network
    36s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-08-2024 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1e5b6abdfff86723f005da754eef040N.exe

  • Size

    722KB

  • MD5

    a1e5b6abdfff86723f005da754eef040

  • SHA1

    3e011e66fc70160342ec11cb33228965cb6463b1

  • SHA256

    0305d2b6c0e5a97563a4c1099f4e6af9452bc102c37b5c9418f88da8991c5f64

  • SHA512

    b3f069c1716f0480ccf3e20f14dd9fdeca629c630a5de75f91de29f5a9b7068937a8fe8dd7dae6ad78ab7029507a2b4687291b448554a9114079972cd06aeec3

  • SSDEEP

    12288:6MrVy90RmQZAZq88kMXB03V+t0mU9aseTa8ADQoVO4s0e9t5VItDvHQcQawuKWBV:3yDbLMR2cRsUrore75yNvHVHBV

Score
10/10
healermysticredlinerotadiscoverydropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rota

C2

77.91.124.73:19071

Attributes
  • auth_value

    320c7daa59eb9b82e20a15162392a756

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 20 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1e5b6abdfff86723f005da754eef040N.exe
    "C:\Users\Admin\AppData\Local\Temp\a1e5b6abdfff86723f005da754eef040N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7804363.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7804363.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4696654.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4696654.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3668
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8661683.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8661683.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8790443.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8790443.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5770102.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5770102.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4864
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7982580.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7982580.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4828
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 240CD0FEC6468ED5A4A8A6261C9B80D9
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 92E17DD4389AF5BF5244C093091C61C9 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4216
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FindResolve.ps1xml
    1⤵
    • Opens file in notepad (likely ransom note)
    • Suspicious use of FindShellTrayWindow
    PID:4364
  • C:\Windows\system32\mspaint.exe
    "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\OutConvert.jpg" /ForceBootstrapPaint3D
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1628
  • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
    "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
    Filesize

    2B

    MD5

    d751713988987e9331980363e24189ce

    SHA1

    97d170e1550eee4afc0af065b78cda302a97674c

    SHA256

    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

    SHA512

    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
    Filesize

    233B

    MD5

    864fb58c3a5d6dd45fb5d579a7f5a604

    SHA1

    24e8be97a22fa942d755dbe00b9d6d1393f1471f

    SHA256

    88bdf13a29680532d3fc169942a0c8ed6d277646e76152bb26d3bc1b556f3e00

    SHA512

    8f2d032ddd048972be99b23868de089c0230c0ee3bd246021e449ed6594effd42d1f9cd3be96f30bad4fb832ba28a96bf26670d6e194f5e63f0417d906e51c91

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
    Filesize

    2KB

    MD5

    404a3ec24e3ebf45be65e77f75990825

    SHA1

    1e05647cf0a74cedfdeabfa3e8ee33b919780a61

    SHA256

    cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

    SHA512

    a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7804363.exe
    Filesize

    496KB

    MD5

    5c55825d204671d894dab7212e6b1288

    SHA1

    2d01b5597436465e40f3815d3a19aaee5246fc0a

    SHA256

    1b338265a1532c07d3f445afe0f4fc507116afe3740d7322e61dfd4cf3ec4e0a

    SHA512

    1fa4dccda60fbad260d9c82db2a5ef0d0862c140dd4acc9bfa4e7795c365e432b00d75024a60870a5703a79614fdddab2e62926b032ec1d050023a28043a3d4c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4696654.exe
    Filesize

    372KB

    MD5

    b35d6095193e86900770caa4186653dc

    SHA1

    dca2023dea0d4a8e0091c3561ed8cb3274f8ab65

    SHA256

    0fa3f28e5ba7bfb98c8b0c7147d9571ce5c5aa00ef502d0a08e0a91ab48b3a51

    SHA512

    b5eb68e98fe8bf434d3307ca3077cc7455bd6e5137cb16f3f4de23384674e04ee088a812f3307793c1c37f090336a66924ee34797ac2a096b91991cc9fa889ef

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7982580.exe
    Filesize

    174KB

    MD5

    130e19cca78b821d410a4985c3b1d417

    SHA1

    6925476d93dd4db88e4272d632e1cfe2f76bccf6

    SHA256

    ebef9948acf9181dbd49c6be9b6d60b6b8fffc6b6f9e6a7a0440fd0a321884cd

    SHA512

    f62e7c7d9fb13ee673118e79688a26d1d0a2ebcac225937d57b23928cc40db51a04d565cfc891afde9ce893937c853fdda34b0b99437faf8a7d8b72a92682bf3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8661683.exe
    Filesize

    217KB

    MD5

    7482fc5fb45083a0d70bcf9ce53e3340

    SHA1

    2d3c0807403848bc4d061ab2e5c176bc2d218f7b

    SHA256

    912eef92f243e311a628d62bfaaa98c0cbeec83fb2dd943590dc33e3a46deb85

    SHA512

    f2c5235f6935ccd30b2869990566a6c609dc7a8e8d60d610b38e9a84cf7e9360e1adfb1aba7edf53b14c49296687ee11b6658a95356a3462502fc45f0d2c69ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8790443.exe
    Filesize

    12KB

    MD5

    3c8680d176e553231b3aa1456e551723

    SHA1

    3872cde2a32e6c9a28010e665dd0ea560bb2bbad

    SHA256

    55d55a8fe96acff4290721503a14379da8485f205280c848b92a43210af1d127

    SHA512

    48ad5a81909f46c059f3ad0348b051e4b5572575884d6303e8b27052c171f013e1597cd0fbe0d264c25b2dbe067fa83f25970762f6c0a7e3fd8dd6cbaa0c6aa3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5770102.exe
    Filesize

    140KB

    MD5

    b64a87e4a3be21ce357ae931675212c4

    SHA1

    01f4209e3bd93a9dd0abc630d1ea37f6e67ee0fb

    SHA256

    4eb1f5a15815611fbd8318ae253bbcd384ffb233f9523082c0f76ca616b69165

    SHA512

    710f4b355dda97612def624808499b575272bc1c6e367a70b9dc485634a08f1a6145afcbba4962eb4db245f95c8e3a4e375a2c9782b3fbdd2efcf7f7b255adb5

    Download Submit
  • C:\Windows\Installer\MSI21D9.tmp
    Filesize

    271KB

    MD5

    f88c6a79abbb5680ae8628fbc7a6915c

    SHA1

    6e1eb7906cdae149c6472f394fa8fe8dc274a556

    SHA256

    5ded99991217600ebd0b48f21c4cd946f3c7858f07d712fcfb93f743faa635ed

    SHA512

    33e150822331356e1cdcbff824b897ca5bf2bed0345d2fa39cf9b1f36a77201167819761b1cc3b6cb02a87625e0b6b85a8505281ccc575ca6b73af68e1e90361

    Download Submit
  • C:\Windows\Installer\MSIF7FC.tmp
    Filesize

    57KB

    MD5

    c23d4d5a87e08f8a822ad5a8dbd69592

    SHA1

    317df555bc309dace46ae5c5589bec53ea8f137e

    SHA256

    6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

    SHA512

    fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

    Download Submit
  • C:\Windows\Installer\MSIFA6E.tmp
    Filesize

    418KB

    MD5

    67f23a38c85856e8a20e815c548cd424

    SHA1

    16e8959c52f983e83f688f4cce3487364b1ffd10

    SHA256

    f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40

    SHA512

    41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d

    Download Submit
  • C:\Windows\Installer\MSIFD41.tmp
    Filesize

    209KB

    MD5

    0e91605ee2395145d077adb643609085

    SHA1

    303263aa6889013ce889bd4ea0324acdf35f29f2

    SHA256

    5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b

    SHA512

    3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be

    Download Submit
  • C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico
    Filesize

    340KB

    MD5

    d07cea5fbf17f2ffa4fdcb38e395dbaf

    SHA1

    c0218a4f53428d71f19f1121b8532b3fe0d178b9

    SHA256

    c5ba5c23decaa64a9176f20f8b18a8c89b42ed54f55f3285bd400fd74051e37e

    SHA512

    98ad990280e9db23ee91e23ee5d0ebc8e289eed7923cd07bb31b845af28ebe0a09bc49f9de2c7e81a49a041d9f87f089a4a67402e1182c41e0d41a3e47264d4f

    Download Submit
  • \Windows\Installer\MSIFBD8.tmp
    Filesize

    148KB

    MD5

    be0b6bea2e4e12bf5d966c6f74fa79b5

    SHA1

    8468ec23f0a30065eee6913bf8eba62dd79651ec

    SHA256

    6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164

    SHA512

    dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b

    Download Submit
  • memory/2308-28-0x0000000000C40000-0x0000000000C4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4828-71-0x000000000A800000-0x000000000AE06000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4828-72-0x000000000A370000-0x000000000A47A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4828-73-0x000000000A2A0000-0x000000000A2B2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4828-78-0x000000000A300000-0x000000000A33E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4828-79-0x000000000A480000-0x000000000A4CB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4828-66-0x0000000004E20000-0x0000000004E26000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4828-65-0x0000000000560000-0x0000000000590000-memory.dmp
    Filesize

    192KB

    Download