Overview

overview

10

Static

static

3

72df64e436...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72df64e43614e170b58e5962ac2ae8e892ab472ad93eb1974e687245b59804b6.exe

  • Size

    1.3MB

  • MD5

    716dee739a1ca6d3fbe97ca1453e4fd3

  • SHA1

    bcd1490bf52296f5e41eba2038d97b93722b1568

  • SHA256

    72df64e43614e170b58e5962ac2ae8e892ab472ad93eb1974e687245b59804b6

  • SHA512

    24aeb94afa0a04bc3d7c622ea242ae71a64baba14eadc2f5be48d109d52989713cefed6625050a90dbc323b9f692a6fef342291aaaa65a1017ae5c412301ae56

  • SSDEEP

    24576:FymFdtmpnRMDYvZGWafUEo6TDyTh4i5H9/BVwQCwiDG5D2UFOZ+70IqHk:gmFdtCRL9gUz6aV5H9/kQC05tdPa

Score
10/10
healermysticredlinesmokeloadertrushbackdoordiscoverydropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

trush

C2

77.91.124.82:19071

Attributes
  • auth_value

    c13814867cde8193679cd0cad2d774be

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Mystic family
    mystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Smokeloader family
    smokeloader
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72df64e43614e170b58e5962ac2ae8e892ab472ad93eb1974e687245b59804b6.exe
    "C:\Users\Admin\AppData\Local\Temp\72df64e43614e170b58e5962ac2ae8e892ab472ad93eb1974e687245b59804b6.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9079639.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9079639.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4764778.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4764778.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1251959.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1251959.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8875666.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8875666.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4748
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2443589.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2443589.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:508
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4504
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 148
              6⤵
              • Program crash
              PID:1708
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0034045.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0034045.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Checks SCSI registry key(s)
            PID:732
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 136
            5⤵
            • Program crash
            PID:2008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9552604.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9552604.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:444
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4828
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2968
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 572
            4⤵
            • Program crash
            PID:1940
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5129063.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5129063.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2072
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 508 -ip 508
      1⤵
        PID:1736
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2460 -ip 2460
        1⤵
          PID:3652
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 444 -ip 444
          1⤵
            PID:4348

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5129063.exe
            Filesize

            17KB

            MD5

            7a971f85ff85be9e48a83a1650380755

            SHA1

            53c50d8055094b44b7ad3015118f1972c19c6cfb

            SHA256

            2e42957b1a5a4a3fa84ee2edccc1efc3bfc1a47d6f842b317810a06300c5c882

            SHA512

            2098fa43f3401f8ff8e06f844eecaf8432b92a4303cb7c4b751179ec9f8dc32bd40bf22ba2819859b0722baa8ff0d0347f4082d663484892b93041f70c319cbe

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9079639.exe
            Filesize

            1.2MB

            MD5

            373d14fad3ecd46aea39c2b3d3fa6747

            SHA1

            14f49dd842c50174fec9bdf84e27260b0f4d35e4

            SHA256

            e5e3b9ac8cac44248112264e031e631ab83817d682369fd13b80e7807e25ee94

            SHA512

            6d0afffe2e78b970f19d9e43d4fc6ec3100a00fc0359323e98329e41e59324727016367da46f926da44c79cd1da4211d2164945d900e806541ea724ce7416614

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d9552604.exe
            Filesize

            1.0MB

            MD5

            dd5511562e6b91e3b9ccb2589cca88eb

            SHA1

            21408d85a32ba31d8ca92382342cc7654b7e28a4

            SHA256

            b999015334444f22c60974d8cc3197380cc84d193173cfbf55c20785cb0e12a8

            SHA512

            ef7e69db59c81069cf4e094ddd9d9cb225f434297bf29c138f8e6f2f5ab82f2b63e4d9e288a53f8014e5a17cb4742be733306a0858e5bdd7062c6fc90831c312

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4764778.exe
            Filesize

            835KB

            MD5

            6b8e2a0c2b915f34bda628af0d662aa5

            SHA1

            d2878f1df083ce3134ddd900831e55cba8f56e7b

            SHA256

            e517997ac450ef578ef7267abe25810ec7e85296bd335446e99b5f19d90e5c80

            SHA512

            7c686c4e48bfda49ed202ae9e74f5b9315c6eeee1d39a328ea62513f024c069c647f903184e6b36feeb67bb44fb45d1e2c84d53b5a2ec86f0f1e5604ed4ed1ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0034045.exe
            Filesize

            884KB

            MD5

            ae879b44eba9325f8ba979a61d0b2746

            SHA1

            5b94fe29e42850258af44af025d0d54602563bf7

            SHA256

            e699275ecefa33670ad3d821a7294a4c73ea2154919fe9b828b92fcad759ca5b

            SHA512

            9e163d6cabb5e84dc97927ccc6de8d730a4e9da1c38788e25bf9304d2bbed4b2c610c14cb6f08baac38f3d5a99701b19fa3ced43bbf6ca02c1a390da85e3dfab

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1251959.exe
            Filesize

            475KB

            MD5

            695557b9ba9ab7e26f3bdddaf9f70e05

            SHA1

            e92d86bcfd85b96cb2fe7ec8fe198591ba56f235

            SHA256

            24af32571f5374ad69fae3db059f7c177e81f2b239bd517aa224637f145f1cbd

            SHA512

            045b7e6fe2e839cfc5f81f9202117143bee41da0532d31554d7c58059e31975bbfe86fcee558d14cbe4e7074f4dd83cbe4ba87dd58defca173cb452aa5cefd43

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8875666.exe
            Filesize

            11KB

            MD5

            417bf355ff406c10fd30628dc9629590

            SHA1

            2679d7839e4e361ea016e99e453b981002dc2d71

            SHA256

            9eea16179fbb0add20846370c57fc4973b3f6726983712d8314df208527b6b9b

            SHA512

            da8d590bb3a786087512aa99ed2e081aac67780b6b5e14a03e13dee3a2f59f23c8b21617b9ce961bfed5644626b433fbd8ceb4965a1e5e796113c1a8473bf966

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2443589.exe
            Filesize

            1.0MB

            MD5

            3559a8fca3a77b081cd96efcbbc2647c

            SHA1

            0ca328528957262bcc32e7ae3d0f46e7ed178923

            SHA256

            05b778559a235267e3af74087f94b2e7e85e01ec189b44b80c566c2760255af6

            SHA512

            1ef33d19dc2632ef776f03bed9312a2cae3b6214d2487003507e48516ab524ad1f2e5c9d0eacef396e043fd09ee73f6fca8057ceb07e688e9e145158231f3bea

            Download Submit

          • memory/732-40-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2968-44-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2968-45-0x0000000005250000-0x0000000005256000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2968-49-0x0000000005930000-0x0000000005F48000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/2968-50-0x0000000005420000-0x000000000552A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2968-51-0x00000000052B0000-0x00000000052C2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2968-52-0x0000000005350000-0x000000000538C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2968-53-0x0000000005390000-0x00000000053DC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4504-34-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/4504-36-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/4504-33-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/4748-28-0x00000000005B0000-0x00000000005BA000-memory.dmp

            Filesize

            40KB

            Download