healer | dddb1986e75b4e018479c53776892814d67cef7bc99f2af657727502e138a06a

General

Target

z1247603.exe
Size

339KB
MD5

9b995acf949571a6d38b503d48a98785
SHA1

2753654bfa17386f1427956d4495e269c2178716
SHA256

e80820126f8f3d130ab9d5c681edd6908387769819e09f0a98e37f72b0e2fed1
SHA512

5decfc4cc8e40cd18dce1d956b9886f886a1e1e224bba4058f952631fada7df754d8c3d4665e884ee5aff537ebb00192a453d09e3bc912ad6740856b84740f0f
SSDEEP

6144:KEy+bnr+sp0yN90QEu2hE7ZstgFVEXwyHHOoOBlpcTQBonu/PcgFP:AMrsy90A2hE7ZsthxHux7pmYh/PPP

Score

10^/10

healer mystic discovery dropper evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral3/memory/5092-12-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral3/memory/5092-14-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral3/memory/5092-16-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral3/memory/5092-13-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral3/memory/4440-7-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 2 IoCs

pid	Process
3964	q9601235.exe
3108	r7715239.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	z1247603.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3964 set thread context of 4440	3964	q9601235.exe	88
PID 3108 set thread context of 5092	3108	r7715239.exe	92

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z1247603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q9601235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r7715239.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4440	AppLaunch.exe
4440	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3964	3100	z1247603.exe	84
PID 3100 wrote to memory of 3964	3100	z1247603.exe	84
PID 3100 wrote to memory of 3964	3100	z1247603.exe	84
PID 3964 wrote to memory of 4440	3964	q9601235.exe	88
PID 3964 wrote to memory of 4440	3964	q9601235.exe	88
PID 3964 wrote to memory of 4440	3964	q9601235.exe	88
PID 3964 wrote to memory of 4440	3964	q9601235.exe	88
PID 3964 wrote to memory of 4440	3964	q9601235.exe	88
PID 3964 wrote to memory of 4440	3964	q9601235.exe	88
PID 3964 wrote to memory of 4440	3964	q9601235.exe	88
PID 3964 wrote to memory of 4440	3964	q9601235.exe	88
PID 3100 wrote to memory of 3108	3100	z1247603.exe	90
PID 3100 wrote to memory of 3108	3100	z1247603.exe	90
PID 3100 wrote to memory of 3108	3100	z1247603.exe	90
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92
PID 3108 wrote to memory of 5092	3108	r7715239.exe	92

C:\Users\Admin\AppData\Local\Temp\z1247603.exe
"C:\Users\Admin\AppData\Local\Temp\z1247603.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9601235.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9601235.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7715239.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7715239.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q9601235.exe

Filesize
230KB

MD5
7f75ec203e74de86ca0391b71761904c

SHA1
aa2234e2608876be364a7a2516918fad954a27cf

SHA256
873e8ef4b9460406288f6f4ca433ba6ecf4597218b72a125d00052847a90b3b8

SHA512
eeefa3c3f8b9df71cd2302cf8c26bf03501d5f400344750f1b4ec7b280297f6635cb8c88eaca9d3c91a7ef8208aceede618dbe844b7354488e58ef059d54cc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7715239.exe

Filesize
359KB

MD5
d05f05bc0687727b909a0f228cb03a75

SHA1
e20b5d99c563393e645af1835f7f93027bd03cf1

SHA256
332b14a12ed0278ef7a9882b41ec6a2e0770714c4d3fc29ea3357d5fa9b0dde5

SHA512
98f95f6c47741838495b4b527f5c815f6fcad660f5330f3a077319ddcd1f3e39dfe60a075495090e01a61eb04ab64c4e3e9ec5ae1f2fe662ced788639a0d73be

Download Submit
memory/4440-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4440-10-0x0000000073C5E000-0x0000000073C5F000-memory.dmp

Filesize
4KB

Download
memory/4440-17-0x0000000073C5E000-0x0000000073C5F000-memory.dmp

Filesize
4KB

Download
memory/5092-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5092-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5092-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5092-13-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5092-19-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads