Analysis Overview
SHA256
5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58
Threat Level: Known bad
The file 5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Detect Mystic stealer payload
Mystic
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-07 06:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-07 06:23
Reported
2023-10-07 06:26
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4192 set thread context of 3188 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe
"C:\Users\Admin\AppData\Local\Temp\5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3188 -ip 3188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4192 -ip 4192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe
| MD5 | 92bcae9523fa276ff5cbec7700876fe5 |
| SHA1 | 308a273b3e213e1d1f77d4e8ba4c586bf6054ba8 |
| SHA256 | cc1aa43c0328e4b58f784be077e6b72d9deb9079c2858217338704d5e952cb7c |
| SHA512 | f2bbb48ad972572b83a00e421714e6e0e69e24eca3f5a94996a7b06d78361c4a78e2db3411cc35c50f0994f2c5af7384a15e547d9bf012c4ea57e43275448c30 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jy9vG4vV.exe
| MD5 | 92bcae9523fa276ff5cbec7700876fe5 |
| SHA1 | 308a273b3e213e1d1f77d4e8ba4c586bf6054ba8 |
| SHA256 | cc1aa43c0328e4b58f784be077e6b72d9deb9079c2858217338704d5e952cb7c |
| SHA512 | f2bbb48ad972572b83a00e421714e6e0e69e24eca3f5a94996a7b06d78361c4a78e2db3411cc35c50f0994f2c5af7384a15e547d9bf012c4ea57e43275448c30 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe
| MD5 | ea0ac474ffd1b5126c78f897ebf94d9d |
| SHA1 | 8abdd1a8911c3c4093490afd7ed89527b7670ed6 |
| SHA256 | f5d2169a9ecc93fd57c081e3b609dce0d546f026584245c9b519c5c06ad0fa79 |
| SHA512 | 17b5a3fc6f6f87cc4f44899e902f5ecabf252c3834ba52ce718b36bf7036e096e8945a876b1c3809f1a9bc495a6a1e8e12a4edd4153d30344dc8ba200dd6d23d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XM1sC3iy.exe
| MD5 | ea0ac474ffd1b5126c78f897ebf94d9d |
| SHA1 | 8abdd1a8911c3c4093490afd7ed89527b7670ed6 |
| SHA256 | f5d2169a9ecc93fd57c081e3b609dce0d546f026584245c9b519c5c06ad0fa79 |
| SHA512 | 17b5a3fc6f6f87cc4f44899e902f5ecabf252c3834ba52ce718b36bf7036e096e8945a876b1c3809f1a9bc495a6a1e8e12a4edd4153d30344dc8ba200dd6d23d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe
| MD5 | 17690c1b10bae3f34acae87975eba51e |
| SHA1 | f9c9cc016eb1158101fda934ad1f77f788714a8e |
| SHA256 | 155aa6b44d63f75e82d3c8ed71c473dcc489f72f1ea888934193d6d3eeb0f7db |
| SHA512 | 21585c47ffdea3750afd0d6d488036a56b72da78703e9d4dc1d1246ce67de8004c341a0f0862386a9faf8664f2add457f32c4536c3fee0ecfb64b567b03bcd4e |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yB3qe9oe.exe
| MD5 | 17690c1b10bae3f34acae87975eba51e |
| SHA1 | f9c9cc016eb1158101fda934ad1f77f788714a8e |
| SHA256 | 155aa6b44d63f75e82d3c8ed71c473dcc489f72f1ea888934193d6d3eeb0f7db |
| SHA512 | 21585c47ffdea3750afd0d6d488036a56b72da78703e9d4dc1d1246ce67de8004c341a0f0862386a9faf8664f2add457f32c4536c3fee0ecfb64b567b03bcd4e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe
| MD5 | 459be124daa7b2cee946a6e817bc4aca |
| SHA1 | 0a7cc81eb16d44bd4f95de294eda2fde57e66c2b |
| SHA256 | 0d68190bc3532fb0efb7df9df9e3036bd6abfc1d2fdb1e20cae06941abc67abf |
| SHA512 | 44e5770efcfb1c399b9c6777c28a2419f07b3b6199f73f1eacb0abc7baf8fe6618124b291dfa8428deb8ec3de1d65b52b613e4ae88d9a58710e6d0e6ac7dee3e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI3fo3mF.exe
| MD5 | 459be124daa7b2cee946a6e817bc4aca |
| SHA1 | 0a7cc81eb16d44bd4f95de294eda2fde57e66c2b |
| SHA256 | 0d68190bc3532fb0efb7df9df9e3036bd6abfc1d2fdb1e20cae06941abc67abf |
| SHA512 | 44e5770efcfb1c399b9c6777c28a2419f07b3b6199f73f1eacb0abc7baf8fe6618124b291dfa8428deb8ec3de1d65b52b613e4ae88d9a58710e6d0e6ac7dee3e |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe
| MD5 | f0831f173733de08511f3a0739f278a6 |
| SHA1 | 06dc809d653c5d2c97386084ae13b50a73eb5b60 |
| SHA256 | 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27 |
| SHA512 | 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PY13Ks8.exe
| MD5 | f0831f173733de08511f3a0739f278a6 |
| SHA1 | 06dc809d653c5d2c97386084ae13b50a73eb5b60 |
| SHA256 | 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27 |
| SHA512 | 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3 |
memory/3188-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3188-36-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3188-37-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3188-39-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe
| MD5 | 0258dbe115a62667aa8a06ad3d8fd735 |
| SHA1 | 98b2234856ef0a8adc212f03c67a7efbd77e5c96 |
| SHA256 | 6af2a1fafa879b054235181766ea8a987b56bff4873438da5e380dfcd11579d3 |
| SHA512 | b88f519b92c80f51447e08f33ee1ca1cd3f8316ff85a9c301542d7ef79bc5b80ea41c47b2892c69796320a3702b6d88fce123cc88656ae96e9c3d90fa3fc6324 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lw469gT.exe
| MD5 | 0258dbe115a62667aa8a06ad3d8fd735 |
| SHA1 | 98b2234856ef0a8adc212f03c67a7efbd77e5c96 |
| SHA256 | 6af2a1fafa879b054235181766ea8a987b56bff4873438da5e380dfcd11579d3 |
| SHA512 | b88f519b92c80f51447e08f33ee1ca1cd3f8316ff85a9c301542d7ef79bc5b80ea41c47b2892c69796320a3702b6d88fce123cc88656ae96e9c3d90fa3fc6324 |
memory/2412-43-0x0000000000DF0000-0x0000000000E2E000-memory.dmp
memory/2412-44-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/2412-45-0x0000000008250000-0x00000000087F4000-memory.dmp
memory/2412-46-0x0000000007D40000-0x0000000007DD2000-memory.dmp
memory/2412-47-0x0000000007E90000-0x0000000007EA0000-memory.dmp
memory/2412-48-0x0000000007D10000-0x0000000007D1A000-memory.dmp
memory/2412-49-0x0000000008E20000-0x0000000009438000-memory.dmp
memory/2412-50-0x00000000080D0000-0x00000000081DA000-memory.dmp
memory/2412-51-0x0000000007F90000-0x0000000007FA2000-memory.dmp
memory/2412-52-0x0000000008000000-0x000000000803C000-memory.dmp
memory/2412-53-0x0000000008040000-0x000000000808C000-memory.dmp
memory/2412-54-0x00000000741F0000-0x00000000749A0000-memory.dmp
memory/2412-55-0x0000000007E90000-0x0000000007EA0000-memory.dmp