Malware Analysis Report

2024-10-16 03:40

Sample ID 241009-cjt26ascqk
Target 2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N
SHA256 2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3
Tags
healer mystic smokeloader backdoor discovery dropper evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3

Threat Level: Known bad

The file 2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N was found to be: Known bad.

Malicious Activity Summary

healer mystic smokeloader backdoor discovery dropper evasion persistence stealer trojan

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

Detect Mystic stealer payload

Mystic

SmokeLoader

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 02:06

Reported

2024-10-09 02:09

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Mystic

stealer mystic

SmokeLoader

trojan backdoor smokeloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4272 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe
PID 4272 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe
PID 4272 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe
PID 3452 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe
PID 3452 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe
PID 3452 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe
PID 3884 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3452 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe
PID 3452 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe
PID 3452 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe
PID 640 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 640 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4272 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe
PID 4272 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe
PID 4272 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe
PID 864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 864 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe

"C:\Users\Admin\AppData\Local\Temp\2db989627ac432ce4ee3695e0e891196e44f308889018096f366a86c3e5f9be3N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3884 -ip 3884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 136

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 640 -ip 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 864 -ip 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 152

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0551973.exe

MD5 a735615991f6c0e4fc5f7b037f272c65
SHA1 f30d6926fed6f009538771bdfaa0f9fa2f15c0f4
SHA256 279983625508f139f85b0a984d507478d6b8b2ee1c938655a92d827e0654f118
SHA512 bc708516bbd8cc982676eee74e02a85eed689ce6c0cf1c98bbe2165d4009b3d501d04744cbe8f5a93447713983e2e8920a5ebfdb02518c28b92cc71681e99f77

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q6262474.exe

MD5 d3c16199d68c4d28579448c54ae18213
SHA1 a541ce249446d71b07cbd8a05e4fff9ba4eef4f4
SHA256 085fe4a13f44e1fd33c339d7e3ebc6c1c6bc71159130a500c66e4561a72d4663
SHA512 c9c957e107dad6a1b9285f0758a312c1b6a09a4efe68d23b2b08d81670c3d68e8165157585bb3ab6911ea25397f37b8db297ac7d994eac15d5c3a81b5766fb83

memory/2436-14-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2436-15-0x00000000743FE000-0x00000000743FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0810735.exe

MD5 af5140d336991f3e482ace1e92e7322a
SHA1 833bb37812babee862d159cffc1786069eb6b487
SHA256 8ab814a3a79e4592b1e62199875df48750a2e9f6c113a63b54795b4deb4bc7d0
SHA512 db67687f9e8c27483587e585588e7ddccce6e84542efef3077e8d885c50895914e9ca7868949b0453c9b59dd5b7c7c21bd7745a8a85ba3cf1590e4685846aed9

memory/4156-19-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4156-22-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4156-20-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s5298547.exe

MD5 51bd4ba9ceb8521aa71952411fc43132
SHA1 8eb05ec7249747111885b3cdb2264b44363329e5
SHA256 d87548621c02cf151f50d448be9fff8e30dfcd5bb75fa5f5e2c93ed12a629e6c
SHA512 60bc664822b81057c6ba7c3f49faaa0b9bfa7aa965ad64a56bd4bf31648508af669aae276d5e2b0d80b16ef7314536172371e1a28d76a9941e63d45c5450a371

memory/2060-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2436-27-0x00000000743FE000-0x00000000743FF000-memory.dmp