Analysis Overview
SHA256
a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70
Threat Level: Known bad
The file a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70 was found to be: Known bad.
Malicious Activity Summary
Detect Mystic stealer payload
Mystic
RedLine
RedLine payload
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-06 21:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-06 21:02
Reported
2023-10-06 21:05
Platform
win10v2004-20230915-en
Max time kernel
139s
Max time network
155s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1820 set thread context of 4256 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe
"C:\Users\Admin\AppData\Local\Temp\a4c3412f202d55b1ae04358e3f170c21aeec0f1661d0af1d497947a87b3aea70.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1820 -ip 1820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4256 -ip 4256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe
| MD5 | ba4892e26926988f6a2dbb56995247e1 |
| SHA1 | 7a79129ae7bb490245fac12c3602d78bd83290c3 |
| SHA256 | 49b0eb8508ad7b7782737bc41f64b74e22028854cc7c556f391680e25660ece0 |
| SHA512 | 0353061d517d55a31ea283a15e06dcd4b70d0eae615a3569750c93a0dc3e615a13220356affc0f1df3d4a17c385855ee0d2ac95f4000b799abefe9089f1f008b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mP4tm5Bo.exe
| MD5 | ba4892e26926988f6a2dbb56995247e1 |
| SHA1 | 7a79129ae7bb490245fac12c3602d78bd83290c3 |
| SHA256 | 49b0eb8508ad7b7782737bc41f64b74e22028854cc7c556f391680e25660ece0 |
| SHA512 | 0353061d517d55a31ea283a15e06dcd4b70d0eae615a3569750c93a0dc3e615a13220356affc0f1df3d4a17c385855ee0d2ac95f4000b799abefe9089f1f008b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe
| MD5 | 186db84236869477c2534576e7dd6f5a |
| SHA1 | 28a977b59c80e801f43a342972c4dc17824b9456 |
| SHA256 | a3e663e65f46b81e23c51d7b361072bc5616f295c5d99987c443d2d6710a5d08 |
| SHA512 | dd76398b21c0974405873ca2eb8cf8a370183a160437f19a8b6220dbd2781e4cc4e0ef56feec10c5eef66cc1019bb05eb896311b8d19ed55aacc29084f789e7c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wX7BP0wk.exe
| MD5 | 186db84236869477c2534576e7dd6f5a |
| SHA1 | 28a977b59c80e801f43a342972c4dc17824b9456 |
| SHA256 | a3e663e65f46b81e23c51d7b361072bc5616f295c5d99987c443d2d6710a5d08 |
| SHA512 | dd76398b21c0974405873ca2eb8cf8a370183a160437f19a8b6220dbd2781e4cc4e0ef56feec10c5eef66cc1019bb05eb896311b8d19ed55aacc29084f789e7c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe
| MD5 | b85f2a763913194dd223c4802af384ad |
| SHA1 | ea95d3451450dd44c3d4a4601fb452f4c88f3df0 |
| SHA256 | 81e9b894f157bc3443d367d11cf4eb290cc08ba7969c471f03d111661c9be7d2 |
| SHA512 | ab4ed7d6b8546381396a8212661885f22b747cae60da068e22357a3041fb966858e87fce0e7cffb255b2686b10bf6a3764d972b4d2acf28d7ad9b6e671e0733d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BU8mZ0qL.exe
| MD5 | b85f2a763913194dd223c4802af384ad |
| SHA1 | ea95d3451450dd44c3d4a4601fb452f4c88f3df0 |
| SHA256 | 81e9b894f157bc3443d367d11cf4eb290cc08ba7969c471f03d111661c9be7d2 |
| SHA512 | ab4ed7d6b8546381396a8212661885f22b747cae60da068e22357a3041fb966858e87fce0e7cffb255b2686b10bf6a3764d972b4d2acf28d7ad9b6e671e0733d |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe
| MD5 | f6f499f248603f12859ee9f7f0c04c84 |
| SHA1 | 6ac87bf2f88b39bb1385fc781f417a80e316334e |
| SHA256 | 1d169ee672ef4b2bbe3630b7077b726aaff5dfa20d15166bcec571f935ddbb58 |
| SHA512 | 48ef5ea53798691b0cbb51f1ff0e39fea7363c4501f6c5c2d03e19e3410332229aef7c0d02f16e52aa6e16391675ce78e4f7956448bdf5d7cac90762ac73ce61 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\la4nN2aB.exe
| MD5 | f6f499f248603f12859ee9f7f0c04c84 |
| SHA1 | 6ac87bf2f88b39bb1385fc781f417a80e316334e |
| SHA256 | 1d169ee672ef4b2bbe3630b7077b726aaff5dfa20d15166bcec571f935ddbb58 |
| SHA512 | 48ef5ea53798691b0cbb51f1ff0e39fea7363c4501f6c5c2d03e19e3410332229aef7c0d02f16e52aa6e16391675ce78e4f7956448bdf5d7cac90762ac73ce61 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe
| MD5 | d859ff4578532e70d8d8745fc3343875 |
| SHA1 | ad023feca03469ae116137fffc644326eb767d83 |
| SHA256 | 9f52521d2f7ab62a4e4d237fe1e00bdf0881735909c1053b2c70181d1bd84049 |
| SHA512 | 3a4b619c8bea97e68547238c4b0422e5a6d2545f3ca42635239057295de454cd9fc6546bf0c37c85d5a7bd3cbba2cd4de5c5907ba9c3ac28a75990ccd61a03e1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Cr62SH3.exe
| MD5 | d859ff4578532e70d8d8745fc3343875 |
| SHA1 | ad023feca03469ae116137fffc644326eb767d83 |
| SHA256 | 9f52521d2f7ab62a4e4d237fe1e00bdf0881735909c1053b2c70181d1bd84049 |
| SHA512 | 3a4b619c8bea97e68547238c4b0422e5a6d2545f3ca42635239057295de454cd9fc6546bf0c37c85d5a7bd3cbba2cd4de5c5907ba9c3ac28a75990ccd61a03e1 |
memory/4256-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4256-36-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4256-37-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4256-39-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe
| MD5 | d8623a7a068dbdc8ef201ad700abdf9a |
| SHA1 | 408f6b54b69e19fe72cb879973de83ffb3a6911e |
| SHA256 | 323531e939191dda90ea0fe0b12852dcf65804e03115205d55972ab275e75c5d |
| SHA512 | 74420e4724cc3b1911c354f1837ee3a19b369a05fec97545f2562d41909d6f87970475861d8111b3180276b3b0028202b7b60d55c17d481657ceee4bd2b6af87 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZU513ch.exe
| MD5 | d8623a7a068dbdc8ef201ad700abdf9a |
| SHA1 | 408f6b54b69e19fe72cb879973de83ffb3a6911e |
| SHA256 | 323531e939191dda90ea0fe0b12852dcf65804e03115205d55972ab275e75c5d |
| SHA512 | 74420e4724cc3b1911c354f1837ee3a19b369a05fec97545f2562d41909d6f87970475861d8111b3180276b3b0028202b7b60d55c17d481657ceee4bd2b6af87 |
memory/1628-43-0x0000000074860000-0x0000000075010000-memory.dmp
memory/1628-44-0x0000000000810000-0x000000000084E000-memory.dmp
memory/1628-45-0x0000000007B90000-0x0000000008134000-memory.dmp
memory/1628-46-0x0000000007680000-0x0000000007712000-memory.dmp
memory/1628-47-0x0000000007900000-0x0000000007910000-memory.dmp
memory/1628-48-0x00000000075F0000-0x00000000075FA000-memory.dmp
memory/1628-49-0x0000000074860000-0x0000000075010000-memory.dmp
memory/1628-50-0x0000000007900000-0x0000000007910000-memory.dmp
memory/1628-51-0x0000000008760000-0x0000000008D78000-memory.dmp
memory/1628-52-0x0000000007A20000-0x0000000007B2A000-memory.dmp
memory/1628-53-0x0000000007860000-0x0000000007872000-memory.dmp
memory/1628-54-0x00000000050A0000-0x00000000050DC000-memory.dmp
memory/1628-55-0x00000000050E0000-0x000000000512C000-memory.dmp