Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2023, 21:02
Static task
static1
Behavioral task
behavioral1
Sample
a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe
Resource
win10v2004-20230915-en
General
-
Target
a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe
-
Size
1.2MB
-
MD5
7bb273c8476a599a0fb7dba9ca9dcc9c
-
SHA1
89b7788e3c9d50c09a8f59b5b9675353e99f2e89
-
SHA256
a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70
-
SHA512
da9e87a6e8cae729b8a6a47828677f86105ffad820ec9e972e9cc5c5562d6e4655235aa6dd20f58cb0d4fefa57188d88626c648498e997b4fbdc6e889cf30666
-
SSDEEP
24576:eyz5zsFl5hTymIuNyMOGPJdAdXCJEwe8x7Je/Rssaf:tzJsFl3TyTdGPJdlJEwee92ssa
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/4256-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4256-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4256-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/4256-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x00060000000230a6-41.dat family_redline behavioral1/files/0x00060000000230a6-42.dat family_redline behavioral1/memory/1628-44-0x0000000000810000-0x000000000084E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 3748 mP4tm5Bo.exe 828 wX7BP0wk.exe 5084 BU8mZ0qL.exe 2876 la4nN2aB.exe 1820 1Cr62SH3.exe 1628 2ZU513ch.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" mP4tm5Bo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" wX7BP0wk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" BU8mZ0qL.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" la4nN2aB.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1820 set thread context of 4256 1820 1Cr62SH3.exe 96 -
Program crash 2 IoCs
pid pid_target Process procid_target 2976 1820 WerFault.exe 94 2116 4256 WerFault.exe 96 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3000 wrote to memory of 3748 3000 a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe 90 PID 3000 wrote to memory of 3748 3000 a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe 90 PID 3000 wrote to memory of 3748 3000 a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe 90 PID 3748 wrote to memory of 828 3748 mP4tm5Bo.exe 91 PID 3748 wrote to memory of 828 3748 mP4tm5Bo.exe 91 PID 3748 wrote to memory of 828 3748 mP4tm5Bo.exe 91 PID 828 wrote to memory of 5084 828 wX7BP0wk.exe 92 PID 828 wrote to memory of 5084 828 wX7BP0wk.exe 92 PID 828 wrote to memory of 5084 828 wX7BP0wk.exe 92 PID 5084 wrote to memory of 2876 5084 BU8mZ0qL.exe 93 PID 5084 wrote to memory of 2876 5084 BU8mZ0qL.exe 93 PID 5084 wrote to memory of 2876 5084 BU8mZ0qL.exe 93 PID 2876 wrote to memory of 1820 2876 la4nN2aB.exe 94 PID 2876 wrote to memory of 1820 2876 la4nN2aB.exe 94 PID 2876 wrote to memory of 1820 2876 la4nN2aB.exe 94 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 1820 wrote to memory of 4256 1820 1Cr62SH3.exe 96 PID 2876 wrote to memory of 1628 2876 la4nN2aB.exe 101 PID 2876 wrote to memory of 1628 2876 la4nN2aB.exe 101 PID 2876 wrote to memory of 1628 2876 la4nN2aB.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe"C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 5408⤵
- Program crash
PID:2116
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1527⤵
- Program crash
PID:2976
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe6⤵
- Executes dropped EXE
PID:1628
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1820 -ip 18201⤵PID:2440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4256 -ip 42561⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5ba4892e26926988f6a2dbb56995247e1
SHA17a79129ae7bb490245fac12c3602d78bd83290c3
SHA25649b0eb8508ad7b7782737bc41f64b74e22028854cc7c556f391680e25660ece0
SHA5120353061d517d55a31ea283a15e06dcd4b70d0eae615a3569750c93a0dc3e615a13220356affc0f1df3d4a17c385855ee0d2ac95f4000b799abefe9089f1f008b
-
Filesize
1.0MB
MD5ba4892e26926988f6a2dbb56995247e1
SHA17a79129ae7bb490245fac12c3602d78bd83290c3
SHA25649b0eb8508ad7b7782737bc41f64b74e22028854cc7c556f391680e25660ece0
SHA5120353061d517d55a31ea283a15e06dcd4b70d0eae615a3569750c93a0dc3e615a13220356affc0f1df3d4a17c385855ee0d2ac95f4000b799abefe9089f1f008b
-
Filesize
884KB
MD5186db84236869477c2534576e7dd6f5a
SHA128a977b59c80e801f43a342972c4dc17824b9456
SHA256a3e663e65f46b81e23c51d7b361072bc5616f295c5d99987c443d2d6710a5d08
SHA512dd76398b21c0974405873ca2eb8cf8a370183a160437f19a8b6220dbd2781e4cc4e0ef56feec10c5eef66cc1019bb05eb896311b8d19ed55aacc29084f789e7c
-
Filesize
884KB
MD5186db84236869477c2534576e7dd6f5a
SHA128a977b59c80e801f43a342972c4dc17824b9456
SHA256a3e663e65f46b81e23c51d7b361072bc5616f295c5d99987c443d2d6710a5d08
SHA512dd76398b21c0974405873ca2eb8cf8a370183a160437f19a8b6220dbd2781e4cc4e0ef56feec10c5eef66cc1019bb05eb896311b8d19ed55aacc29084f789e7c
-
Filesize
590KB
MD5b85f2a763913194dd223c4802af384ad
SHA1ea95d3451450dd44c3d4a4601fb452f4c88f3df0
SHA25681e9b894f157bc3443d367d11cf4eb290cc08ba7969c471f03d111661c9be7d2
SHA512ab4ed7d6b8546381396a8212661885f22b747cae60da068e22357a3041fb966858e87fce0e7cffb255b2686b10bf6a3764d972b4d2acf28d7ad9b6e671e0733d
-
Filesize
590KB
MD5b85f2a763913194dd223c4802af384ad
SHA1ea95d3451450dd44c3d4a4601fb452f4c88f3df0
SHA25681e9b894f157bc3443d367d11cf4eb290cc08ba7969c471f03d111661c9be7d2
SHA512ab4ed7d6b8546381396a8212661885f22b747cae60da068e22357a3041fb966858e87fce0e7cffb255b2686b10bf6a3764d972b4d2acf28d7ad9b6e671e0733d
-
Filesize
417KB
MD5f6f499f248603f12859ee9f7f0c04c84
SHA16ac87bf2f88b39bb1385fc781f417a80e316334e
SHA2561d169ee672ef4b2bbe3630b7077b726aaff5dfa20d15166bcec571f935ddbb58
SHA51248ef5ea53798691b0cbb51f1ff0e39fea7363c4501f6c5c2d03e19e3410332229aef7c0d02f16e52aa6e16391675ce78e4f7956448bdf5d7cac90762ac73ce61
-
Filesize
417KB
MD5f6f499f248603f12859ee9f7f0c04c84
SHA16ac87bf2f88b39bb1385fc781f417a80e316334e
SHA2561d169ee672ef4b2bbe3630b7077b726aaff5dfa20d15166bcec571f935ddbb58
SHA51248ef5ea53798691b0cbb51f1ff0e39fea7363c4501f6c5c2d03e19e3410332229aef7c0d02f16e52aa6e16391675ce78e4f7956448bdf5d7cac90762ac73ce61
-
Filesize
378KB
MD5d859ff4578532e70d8d8745fc3343875
SHA1ad023feca03469ae116137fffc644326eb767d83
SHA2569f52521d2f7ab62a4e4d237fe1e00bdf0881735909c1053b2c70181d1bd84049
SHA5123a4b619c8bea97e68547238c4b0422e5a6d2545f3ca42635239057295de454cd9fc6546bf0c37c85d5a7bd3cbba2cd4de5c5907ba9c3ac28a75990ccd61a03e1
-
Filesize
378KB
MD5d859ff4578532e70d8d8745fc3343875
SHA1ad023feca03469ae116137fffc644326eb767d83
SHA2569f52521d2f7ab62a4e4d237fe1e00bdf0881735909c1053b2c70181d1bd84049
SHA5123a4b619c8bea97e68547238c4b0422e5a6d2545f3ca42635239057295de454cd9fc6546bf0c37c85d5a7bd3cbba2cd4de5c5907ba9c3ac28a75990ccd61a03e1
-
Filesize
231KB
MD5d8623a7a068dbdc8ef201ad700abdf9a
SHA1408f6b54b69e19fe72cb879973de83ffb3a6911e
SHA256323531e939191dda90ea0fe0b12852dcf65804e03115205d55972ab275e75c5d
SHA51274420e4724cc3b1911c354f1837ee3a19b369a05fec97545f2562d41909d6f87970475861d8111b3180276b3b0028202b7b60d55c17d481657ceee4bd2b6af87
-
Filesize
231KB
MD5d8623a7a068dbdc8ef201ad700abdf9a
SHA1408f6b54b69e19fe72cb879973de83ffb3a6911e
SHA256323531e939191dda90ea0fe0b12852dcf65804e03115205d55972ab275e75c5d
SHA51274420e4724cc3b1911c354f1837ee3a19b369a05fec97545f2562d41909d6f87970475861d8111b3180276b3b0028202b7b60d55c17d481657ceee4bd2b6af87