healer | bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5e

General

Target

bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe
Size

344KB
MD5

2ada42c367d55fb0114b4083ade1e3b0
SHA1

547f1af927b7b552cea4d1772f03a76c8e7ba085
SHA256

bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5e
SHA512

2f6f4ed12605f008ffb9cae6c2dfa6527953701a3a2ea82b05f5f45d2725babd437e434b47deb84b4181340a094967a84ceedb209ff2b5da9c08ddcbfb1b43c2
SSDEEP

6144:KXy+bnr+Xp0yN90QEjiaS6lz6vi0U4n1KyYIds6uUjs/:JMrby90hJSUz70lnkyYB6ul

Score

10^/10

healer mystic discovery dropper evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1028-12-0x0000000000400000-0x000000000042C000-memory.dmp	mystic_family
behavioral1/memory/1028-14-0x0000000000400000-0x000000000042C000-memory.dmp	mystic_family
behavioral1/memory/1028-16-0x0000000000400000-0x000000000042C000-memory.dmp	mystic_family
behavioral1/memory/1028-13-0x0000000000400000-0x000000000042C000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/1884-7-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 2 IoCs

pid	Process
4176	a8433018.exe
668	b2057559.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4176 set thread context of 1884	4176	a8433018.exe	83
PID 668 set thread context of 1028	668	b2057559.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3004	4176	WerFault.exe	82
976	668	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2057559.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8433018.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1884	AppLaunch.exe
1884	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	AppLaunch.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 4176	5064	bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe	82
PID 5064 wrote to memory of 4176	5064	bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe	82
PID 5064 wrote to memory of 4176	5064	bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe	82
PID 4176 wrote to memory of 1884	4176	a8433018.exe	83
PID 4176 wrote to memory of 1884	4176	a8433018.exe	83
PID 4176 wrote to memory of 1884	4176	a8433018.exe	83
PID 4176 wrote to memory of 1884	4176	a8433018.exe	83
PID 4176 wrote to memory of 1884	4176	a8433018.exe	83
PID 4176 wrote to memory of 1884	4176	a8433018.exe	83
PID 4176 wrote to memory of 1884	4176	a8433018.exe	83
PID 4176 wrote to memory of 1884	4176	a8433018.exe	83
PID 5064 wrote to memory of 668	5064	bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe	87
PID 5064 wrote to memory of 668	5064	bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe	87
PID 5064 wrote to memory of 668	5064	bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe	87
PID 668 wrote to memory of 1028	668	b2057559.exe	88
PID 668 wrote to memory of 1028	668	b2057559.exe	88
PID 668 wrote to memory of 1028	668	b2057559.exe	88
PID 668 wrote to memory of 1028	668	b2057559.exe	88
PID 668 wrote to memory of 1028	668	b2057559.exe	88
PID 668 wrote to memory of 1028	668	b2057559.exe	88
PID 668 wrote to memory of 1028	668	b2057559.exe	88
PID 668 wrote to memory of 1028	668	b2057559.exe	88
PID 668 wrote to memory of 1028	668	b2057559.exe	88
PID 668 wrote to memory of 1028	668	b2057559.exe	88

C:\Users\Admin\AppData\Local\Temp\bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe
"C:\Users\Admin\AppData\Local\Temp\bc3b8e119b26c24c0f00ef40c84d79b0dd7a96ee6c0e98c7cd3c546cc8b9ef5eN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a8433018.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a8433018.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 552
    3⤵
    - Program crash
    PID:3004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2057559.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2057559.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 552
    3⤵
    - Program crash
    PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4176 -ip 4176
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 668 -ip 668
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a8433018.exe

Filesize
220KB

MD5
842169ea7b6dd37c8595b6c1a160fd76

SHA1
08a3a4d6f73d2592c169c66489c6cfae39b45a51

SHA256
d10a8833084c0f9ad7ebbd04a20e54cd06f7dac6d25d31e8126195b9d3fd5e65

SHA512
e843f113e89af61abcc53eb5219d5123ee39a8ebcea76feb5895f191ddff20b785fc070ac259429a5430721a6e9433551ed0e82159a07f2201857580695161f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2057559.exe

Filesize
364KB

MD5
e226cf58e0ef05a2a83725170a776974

SHA1
ab12eae258fc2bc48801e055b6bae667c434e49e

SHA256
f50ea30c695a079b4e62b5ead744e9cc6eab2b3887aaa93d27dee6f7d76c26bb

SHA512
72cce0e6f412631e62f33fa2a00a659a3db4e3dfe716af62341388388759806f8450f731a7332211e5ec84279f7f73e610e3b17ac4b9022a996f823b194d601f

Download Submit
memory/1028-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1028-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1028-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1028-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1884-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1884-8-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/1884-17-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads