Analysis
-
max time kernel
140s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 05:57
Static task
static1
Behavioral task
behavioral1
Sample
cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe
Resource
win10v2004-20230915-en
General
-
Target
cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe
-
Size
1.2MB
-
MD5
60b65873499b670af790e8c478c81d03
-
SHA1
a86f6c95f71095bc7b321e884b22e04c0ee1e71d
-
SHA256
cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8
-
SHA512
588017e4703165050813364b7232cf9df221d19f77267056793c75eb695769b4b314dec63f25ce821fe472acb9125681af70c26c11677d5470f20e671c5c8303
-
SSDEEP
24576:IygYfxIkhZ7KctiPdkOkXDjuyx+1re/2ymkPGnQ8Ms26SCvi:Pgo3hZ7Kck5wug/HpOQ81rv
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/1224-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1224-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1224-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/1224-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000023244-41.dat family_redline behavioral1/files/0x0006000000023244-42.dat family_redline behavioral1/memory/3404-43-0x0000000000790000-0x00000000007CE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 4696 iR7Fx1Rq.exe 4212 ZR9Dw9yP.exe 3108 Xj0FP2kg.exe 1784 uU9rr3lu.exe 2208 1uL08WU1.exe 3404 2sg394AL.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" iR7Fx1Rq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ZR9Dw9yP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Xj0FP2kg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" uU9rr3lu.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2208 set thread context of 1224 2208 1uL08WU1.exe 91 -
Program crash 2 IoCs
pid pid_target Process procid_target 4188 2208 WerFault.exe 87 4060 1224 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3688 wrote to memory of 4696 3688 cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe 82 PID 3688 wrote to memory of 4696 3688 cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe 82 PID 3688 wrote to memory of 4696 3688 cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe 82 PID 4696 wrote to memory of 4212 4696 iR7Fx1Rq.exe 84 PID 4696 wrote to memory of 4212 4696 iR7Fx1Rq.exe 84 PID 4696 wrote to memory of 4212 4696 iR7Fx1Rq.exe 84 PID 4212 wrote to memory of 3108 4212 ZR9Dw9yP.exe 85 PID 4212 wrote to memory of 3108 4212 ZR9Dw9yP.exe 85 PID 4212 wrote to memory of 3108 4212 ZR9Dw9yP.exe 85 PID 3108 wrote to memory of 1784 3108 Xj0FP2kg.exe 86 PID 3108 wrote to memory of 1784 3108 Xj0FP2kg.exe 86 PID 3108 wrote to memory of 1784 3108 Xj0FP2kg.exe 86 PID 1784 wrote to memory of 2208 1784 uU9rr3lu.exe 87 PID 1784 wrote to memory of 2208 1784 uU9rr3lu.exe 87 PID 1784 wrote to memory of 2208 1784 uU9rr3lu.exe 87 PID 2208 wrote to memory of 4888 2208 1uL08WU1.exe 90 PID 2208 wrote to memory of 4888 2208 1uL08WU1.exe 90 PID 2208 wrote to memory of 4888 2208 1uL08WU1.exe 90 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 2208 wrote to memory of 1224 2208 1uL08WU1.exe 91 PID 1784 wrote to memory of 3404 1784 uU9rr3lu.exe 98 PID 1784 wrote to memory of 3404 1784 uU9rr3lu.exe 98 PID 1784 wrote to memory of 3404 1784 uU9rr3lu.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe"C:\Users\Admin\AppData\Local\Temp\cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4888
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 5408⤵
- Program crash
PID:4060
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1407⤵
- Program crash
PID:4188
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe6⤵
- Executes dropped EXE
PID:3404
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2208 -ip 22081⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1224 -ip 12241⤵PID:3400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD501489436d6923d5488b1ef3e1104f48f
SHA113fa5cf952edde15aeb0d2ac17d9323e14d20f50
SHA2564d18a63557153adbc9f367c21d57f0a888fcb6f3f797869311697caa6fdcd032
SHA5127ce69d12ee4431bead9adf0ff63559c2af38a2e55ec08a37905ecfa1d1c7aa548b72ee8be7c00daf55b47968e5affc348d8915ff7bad57619c940dbc4ab90f32
-
Filesize
1.0MB
MD501489436d6923d5488b1ef3e1104f48f
SHA113fa5cf952edde15aeb0d2ac17d9323e14d20f50
SHA2564d18a63557153adbc9f367c21d57f0a888fcb6f3f797869311697caa6fdcd032
SHA5127ce69d12ee4431bead9adf0ff63559c2af38a2e55ec08a37905ecfa1d1c7aa548b72ee8be7c00daf55b47968e5affc348d8915ff7bad57619c940dbc4ab90f32
-
Filesize
884KB
MD530b9ce54f08a8b95af9491aa42123229
SHA1b0e511cd8aaf2fba3881ca11c292bcaa1314a45b
SHA2561226b78f3ca52f91cffbd7cc2fe615eeffe6efd6d9980aeb32edd412102bab93
SHA512607bfad34cc2fff5e638e5e0facce7bcdefb7634ca8b4db3bc598fbd31c6b8047f97679b32a62bd4021672d435bfca434885271e94b22fc36c0e22295292d48d
-
Filesize
884KB
MD530b9ce54f08a8b95af9491aa42123229
SHA1b0e511cd8aaf2fba3881ca11c292bcaa1314a45b
SHA2561226b78f3ca52f91cffbd7cc2fe615eeffe6efd6d9980aeb32edd412102bab93
SHA512607bfad34cc2fff5e638e5e0facce7bcdefb7634ca8b4db3bc598fbd31c6b8047f97679b32a62bd4021672d435bfca434885271e94b22fc36c0e22295292d48d
-
Filesize
590KB
MD51237b26f3e950ce05093761becb58f56
SHA100a652ca751bafc6d05f5e009a5947c7c20fe5c2
SHA2561b8bef44ece7d87c35f0e72c2c9121ba9d66d6100800ab4e8c1556e954932c82
SHA5124519342be2ec82351d1e818233b02d99069b60b76fa7e01eefdaff42b32e12fc54b0aeb954886fa2be7573c81240271daf5a770fd296f5aeb02c488db001097c
-
Filesize
590KB
MD51237b26f3e950ce05093761becb58f56
SHA100a652ca751bafc6d05f5e009a5947c7c20fe5c2
SHA2561b8bef44ece7d87c35f0e72c2c9121ba9d66d6100800ab4e8c1556e954932c82
SHA5124519342be2ec82351d1e818233b02d99069b60b76fa7e01eefdaff42b32e12fc54b0aeb954886fa2be7573c81240271daf5a770fd296f5aeb02c488db001097c
-
Filesize
417KB
MD5db2794718ef6131807cca8e53d73705b
SHA13121962a83e510316deda4a3951e75fccedc3050
SHA256f7f1c0abe9560fcd1c9b6bb5b38570c3954a8707c71f70cab795f27b39385512
SHA5120b1a8b9c695721df5b6ba15bdbb220911b7240efd037e16f015cb2661be4697e3e0c81b9b414273fbbe31452acb12f304556d4bf2fa69ba381a3821292162771
-
Filesize
417KB
MD5db2794718ef6131807cca8e53d73705b
SHA13121962a83e510316deda4a3951e75fccedc3050
SHA256f7f1c0abe9560fcd1c9b6bb5b38570c3954a8707c71f70cab795f27b39385512
SHA5120b1a8b9c695721df5b6ba15bdbb220911b7240efd037e16f015cb2661be4697e3e0c81b9b414273fbbe31452acb12f304556d4bf2fa69ba381a3821292162771
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
231KB
MD5d18946f32be537ad35f153f222ebb436
SHA1b82bb1ff48155a437fdd2bac49bee6972a137f3a
SHA2561607f0ac47c36cdff11a395d07240fabc26b9c91383ebebad4825a05c32f5e8c
SHA512d506fa4235fd799e356c3a989166a344d3500c0c73c3094c34b7bf797feec492c4c955393ae535ff0ada7002d049eb61f698caf237ad1af1b1297a5cbbeae554
-
Filesize
231KB
MD5d18946f32be537ad35f153f222ebb436
SHA1b82bb1ff48155a437fdd2bac49bee6972a137f3a
SHA2561607f0ac47c36cdff11a395d07240fabc26b9c91383ebebad4825a05c32f5e8c
SHA512d506fa4235fd799e356c3a989166a344d3500c0c73c3094c34b7bf797feec492c4c955393ae535ff0ada7002d049eb61f698caf237ad1af1b1297a5cbbeae554