Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 05:17
Static task
static1
Behavioral task
behavioral1
Sample
7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe
Resource
win10v2004-20230915-en
General
-
Target
7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe
-
Size
1.2MB
-
MD5
dfafeb88c07aa7136b3abb4c38d62687
-
SHA1
7c2dbb25dfab28360a07d326ad85ac91fc4f859b
-
SHA256
7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1
-
SHA512
ecf7b0798b11b32934c9e9e1621cca66de7d10bdd5a227be1b02b65af4aa92be89127b29fea160e3d2c1f9e29b6734cf2244ff962068d6d9dd4e07bfcc98bc59
-
SSDEEP
24576:JyJX6WLz4L3SKLNtGMtRE7+Ra8Zoiub1iop2zSlofRq9O:8JKu4bSgtR4woN2c9
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/1496-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1496-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1496-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1496-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x00060000000230b7-41.dat family_redline behavioral1/files/0x00060000000230b7-42.dat family_redline behavioral1/memory/3152-44-0x0000000000760000-0x000000000079E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4864 qY3IT2vS.exe 2212 Bb6tk4gA.exe 1312 UA0dr1jB.exe 4732 LM8lO9hX.exe 648 1Nh04DF3.exe 3152 2xg494Yp.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" qY3IT2vS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Bb6tk4gA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" UA0dr1jB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" LM8lO9hX.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 648 set thread context of 1496 648 1Nh04DF3.exe 94 -
Program crash 2 IoCs
pid pid_target Process procid_target 1364 648 WerFault.exe 92 4368 1496 WerFault.exe 94 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4960 wrote to memory of 4864 4960 7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe 88 PID 4960 wrote to memory of 4864 4960 7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe 88 PID 4960 wrote to memory of 4864 4960 7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe 88 PID 4864 wrote to memory of 2212 4864 qY3IT2vS.exe 89 PID 4864 wrote to memory of 2212 4864 qY3IT2vS.exe 89 PID 4864 wrote to memory of 2212 4864 qY3IT2vS.exe 89 PID 2212 wrote to memory of 1312 2212 Bb6tk4gA.exe 90 PID 2212 wrote to memory of 1312 2212 Bb6tk4gA.exe 90 PID 2212 wrote to memory of 1312 2212 Bb6tk4gA.exe 90 PID 1312 wrote to memory of 4732 1312 UA0dr1jB.exe 91 PID 1312 wrote to memory of 4732 1312 UA0dr1jB.exe 91 PID 1312 wrote to memory of 4732 1312 UA0dr1jB.exe 91 PID 4732 wrote to memory of 648 4732 LM8lO9hX.exe 92 PID 4732 wrote to memory of 648 4732 LM8lO9hX.exe 92 PID 4732 wrote to memory of 648 4732 LM8lO9hX.exe 92 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 648 wrote to memory of 1496 648 1Nh04DF3.exe 94 PID 4732 wrote to memory of 3152 4732 LM8lO9hX.exe 99 PID 4732 wrote to memory of 3152 4732 LM8lO9hX.exe 99 PID 4732 wrote to memory of 3152 4732 LM8lO9hX.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe"C:\Users\Admin\AppData\Local\Temp\7ffa888fbab3ebf2f529903826e30370223800cb9e63fec0dcd7a9683e6021e1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qY3IT2vS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bb6tk4gA.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UA0dr1jB.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LM8lO9hX.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nh04DF3.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 5408⤵
- Program crash
PID:4368
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1527⤵
- Program crash
PID:1364
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xg494Yp.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xg494Yp.exe6⤵
- Executes dropped EXE
PID:3152
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 648 -ip 6481⤵PID:3828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1496 -ip 14961⤵PID:4644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD57d8bce8a938054d015700b4c48b17712
SHA197439d5d78eb7f6137f71ac67b2e43cdaeee08fa
SHA256928519206beaf315b784a5ff08e8c5cd0cb87973bb09ea8cc93634ab2f480c28
SHA512cfecd593080010efd4252d2da37baf3fc0a6acc80d5585479b3d16b70ae22e2499e19a2aeee7883c4301e7e621bf278d1b154dfe1f0de0e840f3f418e0f4b2fc
-
Filesize
1.0MB
MD57d8bce8a938054d015700b4c48b17712
SHA197439d5d78eb7f6137f71ac67b2e43cdaeee08fa
SHA256928519206beaf315b784a5ff08e8c5cd0cb87973bb09ea8cc93634ab2f480c28
SHA512cfecd593080010efd4252d2da37baf3fc0a6acc80d5585479b3d16b70ae22e2499e19a2aeee7883c4301e7e621bf278d1b154dfe1f0de0e840f3f418e0f4b2fc
-
Filesize
884KB
MD51f64d4e95e750972b6ca8da2ca7f200e
SHA1095a309f4b1051dfd077467f53898401614dd5e8
SHA256e4e49b8568937c43bba5621fcfe9e3762efb9c4078b3287603ef249c522d126d
SHA512024e0f80fbdfd0c55b1ffdb782454dbfd5be9facb112fb0bc11c154a227b99a4d9ee512a17e899c58caf7227a4220b464cc4587e694e02675844cdbb5fb071de
-
Filesize
884KB
MD51f64d4e95e750972b6ca8da2ca7f200e
SHA1095a309f4b1051dfd077467f53898401614dd5e8
SHA256e4e49b8568937c43bba5621fcfe9e3762efb9c4078b3287603ef249c522d126d
SHA512024e0f80fbdfd0c55b1ffdb782454dbfd5be9facb112fb0bc11c154a227b99a4d9ee512a17e899c58caf7227a4220b464cc4587e694e02675844cdbb5fb071de
-
Filesize
590KB
MD551c4e08e66ba110fc409dd29756663a9
SHA1eebcc81a6df9af1f9f83338cd4025581063cba16
SHA2569a0c968ae1804661c5bef3200fe2981f14f49e385f32f398316f57620825d0a3
SHA5120adcf46abf851327e0dcbde29f0cbb4ac2a8edb6409dc3656200859c63b1e9a45809bd34ed2ac0d4c8b6fa56a2448bde37af15772b2b18c93a040efaae1466c1
-
Filesize
590KB
MD551c4e08e66ba110fc409dd29756663a9
SHA1eebcc81a6df9af1f9f83338cd4025581063cba16
SHA2569a0c968ae1804661c5bef3200fe2981f14f49e385f32f398316f57620825d0a3
SHA5120adcf46abf851327e0dcbde29f0cbb4ac2a8edb6409dc3656200859c63b1e9a45809bd34ed2ac0d4c8b6fa56a2448bde37af15772b2b18c93a040efaae1466c1
-
Filesize
417KB
MD5ed39b18378f94c9be599adcabf326d5e
SHA1242a649a528bfe33d35032338737d9d80d54ddc0
SHA2560289e8beece7f929ee4f1866f135bf6643fc3acb7b1d8f032344a8ea80b0a508
SHA512658c269a273ad03f4b8767d98c09308073a666d99d6efe815d0dd2b2d48d004392e5eda174084bc0fa87b48f39d4a89a4824c5018431ad147e1d611aca3e7a10
-
Filesize
417KB
MD5ed39b18378f94c9be599adcabf326d5e
SHA1242a649a528bfe33d35032338737d9d80d54ddc0
SHA2560289e8beece7f929ee4f1866f135bf6643fc3acb7b1d8f032344a8ea80b0a508
SHA512658c269a273ad03f4b8767d98c09308073a666d99d6efe815d0dd2b2d48d004392e5eda174084bc0fa87b48f39d4a89a4824c5018431ad147e1d611aca3e7a10
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
231KB
MD53ad22e3c5ba832c17ae0ce322cdfa8bc
SHA1c8d4b98f62698287ae004a8f73612d7080ac0416
SHA2562b56240abd8cc504dafbd738f0e52a21e3e0a4b82b74eb32848cf58feef71fe3
SHA5126fac06c77feda96873aa406e349487f248760b15ac011902b20ac0a7c4e799e4064806ff5f043405ddfe060cda8d6e20ef84dbf554debcb4cfeeb892133b2b81
-
Filesize
231KB
MD53ad22e3c5ba832c17ae0ce322cdfa8bc
SHA1c8d4b98f62698287ae004a8f73612d7080ac0416
SHA2562b56240abd8cc504dafbd738f0e52a21e3e0a4b82b74eb32848cf58feef71fe3
SHA5126fac06c77feda96873aa406e349487f248760b15ac011902b20ac0a7c4e799e4064806ff5f043405ddfe060cda8d6e20ef84dbf554debcb4cfeeb892133b2b81