Analysis Overview
SHA256
fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb
Threat Level: Known bad
The file fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Detect Mystic stealer payload
Mystic
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-06 21:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-06 21:47
Reported
2023-10-06 21:49
Platform
win10v2004-20230915-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2140 set thread context of 3612 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe
"C:\Users\Admin\AppData\Local\Temp\fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3612 -ip 3612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2140 -ip 2140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 600
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe
| MD5 | 207e39b69d7fcde973111a1f3584b5cc |
| SHA1 | f65911bdbc34f2310aadc194def9528bb64f75d0 |
| SHA256 | 54b1927c8b0cd0b9a35cb91a8b444127c67d5767343e0cadbc071d60b2a873c2 |
| SHA512 | 21528a60fa39450a9207764d41cc75c34806a8ef66971a64af6b575e5f4589d574711deaa0960128a9a51183d4a6142057f721aadc5a82f002c021b21595bc1d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe
| MD5 | 207e39b69d7fcde973111a1f3584b5cc |
| SHA1 | f65911bdbc34f2310aadc194def9528bb64f75d0 |
| SHA256 | 54b1927c8b0cd0b9a35cb91a8b444127c67d5767343e0cadbc071d60b2a873c2 |
| SHA512 | 21528a60fa39450a9207764d41cc75c34806a8ef66971a64af6b575e5f4589d574711deaa0960128a9a51183d4a6142057f721aadc5a82f002c021b21595bc1d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe
| MD5 | 0a5863d64e23c4f3ef3200779c1ebff4 |
| SHA1 | e9bf567f5570e75e76b85b055cb1345a74f27ce8 |
| SHA256 | cd9360589c2015aee54ccf40f997c832bf2930ab69211f5d8a4698a5886e3d63 |
| SHA512 | ad4a65779b8a1991589f078b8b5016be7535b00762217612fcc5ae82864d8852f400d393b275841b336d09b29aaae501959651c4efabeba50ea1d454adb115d1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe
| MD5 | 0a5863d64e23c4f3ef3200779c1ebff4 |
| SHA1 | e9bf567f5570e75e76b85b055cb1345a74f27ce8 |
| SHA256 | cd9360589c2015aee54ccf40f997c832bf2930ab69211f5d8a4698a5886e3d63 |
| SHA512 | ad4a65779b8a1991589f078b8b5016be7535b00762217612fcc5ae82864d8852f400d393b275841b336d09b29aaae501959651c4efabeba50ea1d454adb115d1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe
| MD5 | 943b112749ec2b1d79d6d9dfbfbc61f6 |
| SHA1 | 54345a752550c0fb4b7a9f7d604d6ca6e21ec8fb |
| SHA256 | 9e866e22f3b5578b8badbfdcbcb9ee9d3052a5bf1c87c22569e90ba464f3c3fa |
| SHA512 | c8f30d5d0da0ff2b8abf6777fc541038e9fb9923e0b365aa0c21ab84c21593c7ba49edc640af0a3c1ae70160911be3d7a9dee4e9df0a57d97b2e41b0c4b08a7a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe
| MD5 | 943b112749ec2b1d79d6d9dfbfbc61f6 |
| SHA1 | 54345a752550c0fb4b7a9f7d604d6ca6e21ec8fb |
| SHA256 | 9e866e22f3b5578b8badbfdcbcb9ee9d3052a5bf1c87c22569e90ba464f3c3fa |
| SHA512 | c8f30d5d0da0ff2b8abf6777fc541038e9fb9923e0b365aa0c21ab84c21593c7ba49edc640af0a3c1ae70160911be3d7a9dee4e9df0a57d97b2e41b0c4b08a7a |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe
| MD5 | f222096f65e28b52fc018ad530a51db3 |
| SHA1 | 0c10946b0657300cf01c7103e0f9bc3313d727e4 |
| SHA256 | ba63b2fb09ce0756ebbb4f972c35c0cea4079ab86292ac3651960fe46c0173f1 |
| SHA512 | 047b915ec2ad4fbb6e41a51bd0b9c8672d72d74c3e97851b87150a27891671225303bb0efb660db91653f4256bedf1fbd847fda6cde94391b8e42119750dfb94 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe
| MD5 | f222096f65e28b52fc018ad530a51db3 |
| SHA1 | 0c10946b0657300cf01c7103e0f9bc3313d727e4 |
| SHA256 | ba63b2fb09ce0756ebbb4f972c35c0cea4079ab86292ac3651960fe46c0173f1 |
| SHA512 | 047b915ec2ad4fbb6e41a51bd0b9c8672d72d74c3e97851b87150a27891671225303bb0efb660db91653f4256bedf1fbd847fda6cde94391b8e42119750dfb94 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe
| MD5 | 057684fdcfa64b387fd4c84e88123632 |
| SHA1 | 2ec62abf9fe6673ef75748a0d89e201907608297 |
| SHA256 | 91cd87b4da0609ef7b600b7d349deffdae7fcd863ddaf4bb5da0c5dfae1fc986 |
| SHA512 | bfccf7d1ee9f070c4b12ecb1062e4ba48b40a738d30b6bf0ee0bfb183021903ee775568ba3015d8be1af0686c16e2ebf610410c2061ec105a2bdf3221f0404b1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe
| MD5 | 057684fdcfa64b387fd4c84e88123632 |
| SHA1 | 2ec62abf9fe6673ef75748a0d89e201907608297 |
| SHA256 | 91cd87b4da0609ef7b600b7d349deffdae7fcd863ddaf4bb5da0c5dfae1fc986 |
| SHA512 | bfccf7d1ee9f070c4b12ecb1062e4ba48b40a738d30b6bf0ee0bfb183021903ee775568ba3015d8be1af0686c16e2ebf610410c2061ec105a2bdf3221f0404b1 |
memory/3612-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3612-36-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3612-37-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3612-39-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exe
| MD5 | 0e26b34a4953bad439184ed9df9144aa |
| SHA1 | 470b2e126601928eaf3a1f9aafe4f59884ea07ab |
| SHA256 | 9bb4c8ad8de9222070fbd129e7d7b24224d5fe58522f16a896e4614eddb940c8 |
| SHA512 | 3d0d3799fff587cb703ea40b121d7d5f3713d521cacb7c42d818349d12d2e9f6f44ffe33e25d8a232acd9a18234d8ea8cbb8eb20174c11c53f4122798e9ad3b0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exe
| MD5 | 0e26b34a4953bad439184ed9df9144aa |
| SHA1 | 470b2e126601928eaf3a1f9aafe4f59884ea07ab |
| SHA256 | 9bb4c8ad8de9222070fbd129e7d7b24224d5fe58522f16a896e4614eddb940c8 |
| SHA512 | 3d0d3799fff587cb703ea40b121d7d5f3713d521cacb7c42d818349d12d2e9f6f44ffe33e25d8a232acd9a18234d8ea8cbb8eb20174c11c53f4122798e9ad3b0 |
memory/3508-43-0x0000000074010000-0x00000000747C0000-memory.dmp
memory/3508-44-0x0000000000830000-0x000000000086E000-memory.dmp
memory/3508-45-0x0000000007C50000-0x00000000081F4000-memory.dmp
memory/3508-46-0x0000000007740000-0x00000000077D2000-memory.dmp
memory/3508-47-0x0000000007900000-0x0000000007910000-memory.dmp
memory/3508-48-0x00000000078F0000-0x00000000078FA000-memory.dmp
memory/3508-49-0x0000000008820000-0x0000000008E38000-memory.dmp
memory/3508-50-0x0000000007AA0000-0x0000000007BAA000-memory.dmp
memory/3508-51-0x00000000079D0000-0x00000000079E2000-memory.dmp
memory/3508-52-0x0000000007A30000-0x0000000007A6C000-memory.dmp
memory/3508-53-0x0000000007BB0000-0x0000000007BFC000-memory.dmp
memory/3508-54-0x0000000074010000-0x00000000747C0000-memory.dmp
memory/3508-55-0x0000000007900000-0x0000000007910000-memory.dmp