Analysis

  • max time kernel
    140s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/10/2023, 05:57

General

  • Target

    cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe

  • Size

    1.2MB

  • MD5

    60b65873499b670af790e8c478c81d03

  • SHA1

    a86f6c95f71095bc7b321e884b22e04c0ee1e71d

  • SHA256

    cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8

  • SHA512

    588017e4703165050813364b7232cf9df221d19f77267056793c75eb695769b4b314dec63f25ce821fe472acb9125681af70c26c11677d5470f20e671c5c8303

  • SSDEEP

    24576:IygYfxIkhZ7KctiPdkOkXDjuyx+1re/2ymkPGnQ8Ms26SCvi:Pgo3hZ7Kck5wug/HpOQ81rv

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe
    "C:\Users\Admin\AppData\Local\Temp\cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4212
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3108
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1784
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2208
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:4888
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  7⤵
                    PID:1224
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 540
                      8⤵
                      • Program crash
                      PID:4060
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 140
                    7⤵
                    • Program crash
                    PID:4188
                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe
                  6⤵
                  • Executes dropped EXE
                  PID:3404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2208 -ip 2208
        1⤵
          PID:4356
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1224 -ip 1224
          1⤵
            PID:3400

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe

                  Filesize

                  1.0MB

                  MD5

                  01489436d6923d5488b1ef3e1104f48f

                  SHA1

                  13fa5cf952edde15aeb0d2ac17d9323e14d20f50

                  SHA256

                  4d18a63557153adbc9f367c21d57f0a888fcb6f3f797869311697caa6fdcd032

                  SHA512

                  7ce69d12ee4431bead9adf0ff63559c2af38a2e55ec08a37905ecfa1d1c7aa548b72ee8be7c00daf55b47968e5affc348d8915ff7bad57619c940dbc4ab90f32

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe

                  Filesize

                  1.0MB

                  MD5

                  01489436d6923d5488b1ef3e1104f48f

                  SHA1

                  13fa5cf952edde15aeb0d2ac17d9323e14d20f50

                  SHA256

                  4d18a63557153adbc9f367c21d57f0a888fcb6f3f797869311697caa6fdcd032

                  SHA512

                  7ce69d12ee4431bead9adf0ff63559c2af38a2e55ec08a37905ecfa1d1c7aa548b72ee8be7c00daf55b47968e5affc348d8915ff7bad57619c940dbc4ab90f32

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe

                  Filesize

                  884KB

                  MD5

                  30b9ce54f08a8b95af9491aa42123229

                  SHA1

                  b0e511cd8aaf2fba3881ca11c292bcaa1314a45b

                  SHA256

                  1226b78f3ca52f91cffbd7cc2fe615eeffe6efd6d9980aeb32edd412102bab93

                  SHA512

                  607bfad34cc2fff5e638e5e0facce7bcdefb7634ca8b4db3bc598fbd31c6b8047f97679b32a62bd4021672d435bfca434885271e94b22fc36c0e22295292d48d

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe

                  Filesize

                  884KB

                  MD5

                  30b9ce54f08a8b95af9491aa42123229

                  SHA1

                  b0e511cd8aaf2fba3881ca11c292bcaa1314a45b

                  SHA256

                  1226b78f3ca52f91cffbd7cc2fe615eeffe6efd6d9980aeb32edd412102bab93

                  SHA512

                  607bfad34cc2fff5e638e5e0facce7bcdefb7634ca8b4db3bc598fbd31c6b8047f97679b32a62bd4021672d435bfca434885271e94b22fc36c0e22295292d48d

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe

                  Filesize

                  590KB

                  MD5

                  1237b26f3e950ce05093761becb58f56

                  SHA1

                  00a652ca751bafc6d05f5e009a5947c7c20fe5c2

                  SHA256

                  1b8bef44ece7d87c35f0e72c2c9121ba9d66d6100800ab4e8c1556e954932c82

                  SHA512

                  4519342be2ec82351d1e818233b02d99069b60b76fa7e01eefdaff42b32e12fc54b0aeb954886fa2be7573c81240271daf5a770fd296f5aeb02c488db001097c

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe

                  Filesize

                  590KB

                  MD5

                  1237b26f3e950ce05093761becb58f56

                  SHA1

                  00a652ca751bafc6d05f5e009a5947c7c20fe5c2

                  SHA256

                  1b8bef44ece7d87c35f0e72c2c9121ba9d66d6100800ab4e8c1556e954932c82

                  SHA512

                  4519342be2ec82351d1e818233b02d99069b60b76fa7e01eefdaff42b32e12fc54b0aeb954886fa2be7573c81240271daf5a770fd296f5aeb02c488db001097c

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe

                  Filesize

                  417KB

                  MD5

                  db2794718ef6131807cca8e53d73705b

                  SHA1

                  3121962a83e510316deda4a3951e75fccedc3050

                  SHA256

                  f7f1c0abe9560fcd1c9b6bb5b38570c3954a8707c71f70cab795f27b39385512

                  SHA512

                  0b1a8b9c695721df5b6ba15bdbb220911b7240efd037e16f015cb2661be4697e3e0c81b9b414273fbbe31452acb12f304556d4bf2fa69ba381a3821292162771

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe

                  Filesize

                  417KB

                  MD5

                  db2794718ef6131807cca8e53d73705b

                  SHA1

                  3121962a83e510316deda4a3951e75fccedc3050

                  SHA256

                  f7f1c0abe9560fcd1c9b6bb5b38570c3954a8707c71f70cab795f27b39385512

                  SHA512

                  0b1a8b9c695721df5b6ba15bdbb220911b7240efd037e16f015cb2661be4697e3e0c81b9b414273fbbe31452acb12f304556d4bf2fa69ba381a3821292162771

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe

                  Filesize

                  378KB

                  MD5

                  f0831f173733de08511f3a0739f278a6

                  SHA1

                  06dc809d653c5d2c97386084ae13b50a73eb5b60

                  SHA256

                  8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

                  SHA512

                  19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe

                  Filesize

                  378KB

                  MD5

                  f0831f173733de08511f3a0739f278a6

                  SHA1

                  06dc809d653c5d2c97386084ae13b50a73eb5b60

                  SHA256

                  8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

                  SHA512

                  19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe

                  Filesize

                  231KB

                  MD5

                  d18946f32be537ad35f153f222ebb436

                  SHA1

                  b82bb1ff48155a437fdd2bac49bee6972a137f3a

                  SHA256

                  1607f0ac47c36cdff11a395d07240fabc26b9c91383ebebad4825a05c32f5e8c

                  SHA512

                  d506fa4235fd799e356c3a989166a344d3500c0c73c3094c34b7bf797feec492c4c955393ae535ff0ada7002d049eb61f698caf237ad1af1b1297a5cbbeae554

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe

                  Filesize

                  231KB

                  MD5

                  d18946f32be537ad35f153f222ebb436

                  SHA1

                  b82bb1ff48155a437fdd2bac49bee6972a137f3a

                  SHA256

                  1607f0ac47c36cdff11a395d07240fabc26b9c91383ebebad4825a05c32f5e8c

                  SHA512

                  d506fa4235fd799e356c3a989166a344d3500c0c73c3094c34b7bf797feec492c4c955393ae535ff0ada7002d049eb61f698caf237ad1af1b1297a5cbbeae554

                • memory/1224-36-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                • memory/1224-37-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                • memory/1224-39-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                • memory/1224-35-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                • memory/3404-46-0x00000000075B0000-0x0000000007642000-memory.dmp

                  Filesize

                  584KB

                • memory/3404-44-0x0000000073DE0000-0x0000000074590000-memory.dmp

                  Filesize

                  7.7MB

                • memory/3404-45-0x0000000007AC0000-0x0000000008064000-memory.dmp

                  Filesize

                  5.6MB

                • memory/3404-43-0x0000000000790000-0x00000000007CE000-memory.dmp

                  Filesize

                  248KB

                • memory/3404-47-0x00000000077E0000-0x00000000077F0000-memory.dmp

                  Filesize

                  64KB

                • memory/3404-48-0x0000000007570000-0x000000000757A000-memory.dmp

                  Filesize

                  40KB

                • memory/3404-49-0x0000000008690000-0x0000000008CA8000-memory.dmp

                  Filesize

                  6.1MB

                • memory/3404-50-0x0000000007900000-0x0000000007A0A000-memory.dmp

                  Filesize

                  1.0MB

                • memory/3404-51-0x00000000077F0000-0x0000000007802000-memory.dmp

                  Filesize

                  72KB

                • memory/3404-52-0x0000000007850000-0x000000000788C000-memory.dmp

                  Filesize

                  240KB

                • memory/3404-53-0x0000000007890000-0x00000000078DC000-memory.dmp

                  Filesize

                  304KB

                • memory/3404-54-0x0000000073DE0000-0x0000000074590000-memory.dmp

                  Filesize

                  7.7MB

                • memory/3404-55-0x00000000077E0000-0x00000000077F0000-memory.dmp

                  Filesize

                  64KB