Analysis Overview
SHA256
198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9
Threat Level: Known bad
The file 198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9 was found to be: Known bad.
Malicious Activity Summary
Mystic
RedLine
Detect Mystic stealer payload
RedLine payload
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-06 21:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-06 21:39
Reported
2023-10-06 21:42
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3928 set thread context of 860 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe
"C:\Users\Admin\AppData\Local\Temp\198e731935d5a9c0b26797118791b53fd76ddd1a38302cf739ad3a57f0c6b2e9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 860 -ip 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3928 -ip 3928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 600
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe
| MD5 | 50396aa17d248d8afe74cf8f19a9c33f |
| SHA1 | 33bdd0fea1dbc5434c5edf34106af19ad76b825c |
| SHA256 | 1758bfee38a61d558e5e500b6cc4d6896eabe1b55f729591163da9a72a9f6e85 |
| SHA512 | beff0f6cee774e3fb8dcfdc0ef7a443cffed16ae40ead36aa51307a52d9fa0cd3ab7da6831e9cb5db84611f2f00cd5503061d22a4d4fa77aa2f38f470db14bc0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pb2Pk7LF.exe
| MD5 | 50396aa17d248d8afe74cf8f19a9c33f |
| SHA1 | 33bdd0fea1dbc5434c5edf34106af19ad76b825c |
| SHA256 | 1758bfee38a61d558e5e500b6cc4d6896eabe1b55f729591163da9a72a9f6e85 |
| SHA512 | beff0f6cee774e3fb8dcfdc0ef7a443cffed16ae40ead36aa51307a52d9fa0cd3ab7da6831e9cb5db84611f2f00cd5503061d22a4d4fa77aa2f38f470db14bc0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe
| MD5 | dcb7dd1183d028f3784e63f8a63dd11c |
| SHA1 | 0383498afbc0b7dc8405711712a18d6bb41af6f2 |
| SHA256 | 7869320b7c531f801f0cf245cce512fe55f1cbedd1311665c356ad6bf314ede8 |
| SHA512 | 83f588765502e7268d196f0a7ca1d0a27ea3330262a882712bbf2a2be33938bc2b775b59e2f9fcd7c9f12c34e5538b0f8a2b20c2b32a8509a69792377b01789f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\JP1JU5QT.exe
| MD5 | dcb7dd1183d028f3784e63f8a63dd11c |
| SHA1 | 0383498afbc0b7dc8405711712a18d6bb41af6f2 |
| SHA256 | 7869320b7c531f801f0cf245cce512fe55f1cbedd1311665c356ad6bf314ede8 |
| SHA512 | 83f588765502e7268d196f0a7ca1d0a27ea3330262a882712bbf2a2be33938bc2b775b59e2f9fcd7c9f12c34e5538b0f8a2b20c2b32a8509a69792377b01789f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe
| MD5 | b02dee59706aa71090cfa2a67cc0c7ca |
| SHA1 | d869ea683c563affb2b7041fdccca5b61d1141e3 |
| SHA256 | 7eca710778bc8571155750f273a6fbfbd6ed218a394e95cb64620a3520bf70f2 |
| SHA512 | d7ea424df02d92fbb1ac8c7d35231cf888df4a82aa35583c2c5f6a7f8c83b3ef0fa833e95a630a37906fd88655653884703996022df97b7c251b7e39cd7b529a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jF5nI4Cy.exe
| MD5 | b02dee59706aa71090cfa2a67cc0c7ca |
| SHA1 | d869ea683c563affb2b7041fdccca5b61d1141e3 |
| SHA256 | 7eca710778bc8571155750f273a6fbfbd6ed218a394e95cb64620a3520bf70f2 |
| SHA512 | d7ea424df02d92fbb1ac8c7d35231cf888df4a82aa35583c2c5f6a7f8c83b3ef0fa833e95a630a37906fd88655653884703996022df97b7c251b7e39cd7b529a |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe
| MD5 | d6c90b9404be517719efb3e440559564 |
| SHA1 | e80a31033f5152ff7c99f77b54aabad49133fc67 |
| SHA256 | d57df80c79fcc09a425cbf698b5da027e320671a4def137fd8d152ca2b8b073d |
| SHA512 | 59bc81d46745ac68f86cee31c483701dd4388563975f390ac6e7edba4baab5bb97abc430b33c0f44b70f8bcb74af5d4a82e2e02f1242770711c9816ad1e77295 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xF3jq4bP.exe
| MD5 | d6c90b9404be517719efb3e440559564 |
| SHA1 | e80a31033f5152ff7c99f77b54aabad49133fc67 |
| SHA256 | d57df80c79fcc09a425cbf698b5da027e320671a4def137fd8d152ca2b8b073d |
| SHA512 | 59bc81d46745ac68f86cee31c483701dd4388563975f390ac6e7edba4baab5bb97abc430b33c0f44b70f8bcb74af5d4a82e2e02f1242770711c9816ad1e77295 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe
| MD5 | 95ab34f204236ba37848cc9cc95405e1 |
| SHA1 | bb51007f4c622de6695c888b0ad77fd7d338d57c |
| SHA256 | 699f39018aace26083e65b195f12fb9440be99f4fd86b8a6c1fa01683dbe91f6 |
| SHA512 | 180711f110f58ff84524075c132ca202274d5f8983aba1374b6f39dd86c572f950c36538da73b554df0b9935159a3bcbb5a39255acdc891e5d42a7d20574bf07 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GG11Kk2.exe
| MD5 | 95ab34f204236ba37848cc9cc95405e1 |
| SHA1 | bb51007f4c622de6695c888b0ad77fd7d338d57c |
| SHA256 | 699f39018aace26083e65b195f12fb9440be99f4fd86b8a6c1fa01683dbe91f6 |
| SHA512 | 180711f110f58ff84524075c132ca202274d5f8983aba1374b6f39dd86c572f950c36538da73b554df0b9935159a3bcbb5a39255acdc891e5d42a7d20574bf07 |
memory/860-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/860-36-0x0000000000400000-0x0000000000428000-memory.dmp
memory/860-37-0x0000000000400000-0x0000000000428000-memory.dmp
memory/860-39-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe
| MD5 | 0f740d8c8f3e43861d9bdd866f9af0f9 |
| SHA1 | caa75992994504eda91b8b130962aa52ab922283 |
| SHA256 | 6e24db519479cf96182b5ca743949c1205fa5218c4a69694019b388eea8c2206 |
| SHA512 | 77f766ea7dd51469b7fd44fcb53b05ad2276dbcd43bb1f482d7b2b655275cf060e3cdb204ae1983aa9b48071143277d091ce62d16fde5f69bf6520169456146b |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pP673Rw.exe
| MD5 | 0f740d8c8f3e43861d9bdd866f9af0f9 |
| SHA1 | caa75992994504eda91b8b130962aa52ab922283 |
| SHA256 | 6e24db519479cf96182b5ca743949c1205fa5218c4a69694019b388eea8c2206 |
| SHA512 | 77f766ea7dd51469b7fd44fcb53b05ad2276dbcd43bb1f482d7b2b655275cf060e3cdb204ae1983aa9b48071143277d091ce62d16fde5f69bf6520169456146b |
memory/4332-43-0x00000000003F0000-0x000000000042E000-memory.dmp
memory/4332-44-0x0000000073F50000-0x0000000074700000-memory.dmp
memory/4332-45-0x0000000007640000-0x0000000007BE4000-memory.dmp
memory/4332-46-0x0000000007170000-0x0000000007202000-memory.dmp
memory/4332-47-0x00000000073B0000-0x00000000073C0000-memory.dmp
memory/4332-48-0x0000000007360000-0x000000000736A000-memory.dmp
memory/4332-49-0x0000000008210000-0x0000000008828000-memory.dmp
memory/4332-50-0x0000000007BF0000-0x0000000007CFA000-memory.dmp
memory/4332-51-0x0000000007440000-0x0000000007452000-memory.dmp
memory/4332-52-0x00000000074A0000-0x00000000074DC000-memory.dmp
memory/4332-53-0x00000000074E0000-0x000000000752C000-memory.dmp
memory/4332-54-0x0000000073F50000-0x0000000074700000-memory.dmp
memory/4332-55-0x00000000073B0000-0x00000000073C0000-memory.dmp