Analysis Overview
SHA256
cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8
Threat Level: Known bad
The file cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8 was found to be: Known bad.
Malicious Activity Summary
Mystic
Detect Mystic stealer payload
RedLine
RedLine payload
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-07 05:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-07 05:57
Reported
2023-10-07 05:59
Platform
win10v2004-20230915-en
Max time kernel
140s
Max time network
157s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2208 set thread context of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe
"C:\Users\Admin\AppData\Local\Temp\cf8168027946357c773e3a0cfcaaa3cb58daa1a641b2c39d7587b7634036f9c8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2208 -ip 2208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1224 -ip 1224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe
| MD5 | 01489436d6923d5488b1ef3e1104f48f |
| SHA1 | 13fa5cf952edde15aeb0d2ac17d9323e14d20f50 |
| SHA256 | 4d18a63557153adbc9f367c21d57f0a888fcb6f3f797869311697caa6fdcd032 |
| SHA512 | 7ce69d12ee4431bead9adf0ff63559c2af38a2e55ec08a37905ecfa1d1c7aa548b72ee8be7c00daf55b47968e5affc348d8915ff7bad57619c940dbc4ab90f32 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iR7Fx1Rq.exe
| MD5 | 01489436d6923d5488b1ef3e1104f48f |
| SHA1 | 13fa5cf952edde15aeb0d2ac17d9323e14d20f50 |
| SHA256 | 4d18a63557153adbc9f367c21d57f0a888fcb6f3f797869311697caa6fdcd032 |
| SHA512 | 7ce69d12ee4431bead9adf0ff63559c2af38a2e55ec08a37905ecfa1d1c7aa548b72ee8be7c00daf55b47968e5affc348d8915ff7bad57619c940dbc4ab90f32 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe
| MD5 | 30b9ce54f08a8b95af9491aa42123229 |
| SHA1 | b0e511cd8aaf2fba3881ca11c292bcaa1314a45b |
| SHA256 | 1226b78f3ca52f91cffbd7cc2fe615eeffe6efd6d9980aeb32edd412102bab93 |
| SHA512 | 607bfad34cc2fff5e638e5e0facce7bcdefb7634ca8b4db3bc598fbd31c6b8047f97679b32a62bd4021672d435bfca434885271e94b22fc36c0e22295292d48d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZR9Dw9yP.exe
| MD5 | 30b9ce54f08a8b95af9491aa42123229 |
| SHA1 | b0e511cd8aaf2fba3881ca11c292bcaa1314a45b |
| SHA256 | 1226b78f3ca52f91cffbd7cc2fe615eeffe6efd6d9980aeb32edd412102bab93 |
| SHA512 | 607bfad34cc2fff5e638e5e0facce7bcdefb7634ca8b4db3bc598fbd31c6b8047f97679b32a62bd4021672d435bfca434885271e94b22fc36c0e22295292d48d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe
| MD5 | 1237b26f3e950ce05093761becb58f56 |
| SHA1 | 00a652ca751bafc6d05f5e009a5947c7c20fe5c2 |
| SHA256 | 1b8bef44ece7d87c35f0e72c2c9121ba9d66d6100800ab4e8c1556e954932c82 |
| SHA512 | 4519342be2ec82351d1e818233b02d99069b60b76fa7e01eefdaff42b32e12fc54b0aeb954886fa2be7573c81240271daf5a770fd296f5aeb02c488db001097c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xj0FP2kg.exe
| MD5 | 1237b26f3e950ce05093761becb58f56 |
| SHA1 | 00a652ca751bafc6d05f5e009a5947c7c20fe5c2 |
| SHA256 | 1b8bef44ece7d87c35f0e72c2c9121ba9d66d6100800ab4e8c1556e954932c82 |
| SHA512 | 4519342be2ec82351d1e818233b02d99069b60b76fa7e01eefdaff42b32e12fc54b0aeb954886fa2be7573c81240271daf5a770fd296f5aeb02c488db001097c |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe
| MD5 | db2794718ef6131807cca8e53d73705b |
| SHA1 | 3121962a83e510316deda4a3951e75fccedc3050 |
| SHA256 | f7f1c0abe9560fcd1c9b6bb5b38570c3954a8707c71f70cab795f27b39385512 |
| SHA512 | 0b1a8b9c695721df5b6ba15bdbb220911b7240efd037e16f015cb2661be4697e3e0c81b9b414273fbbe31452acb12f304556d4bf2fa69ba381a3821292162771 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uU9rr3lu.exe
| MD5 | db2794718ef6131807cca8e53d73705b |
| SHA1 | 3121962a83e510316deda4a3951e75fccedc3050 |
| SHA256 | f7f1c0abe9560fcd1c9b6bb5b38570c3954a8707c71f70cab795f27b39385512 |
| SHA512 | 0b1a8b9c695721df5b6ba15bdbb220911b7240efd037e16f015cb2661be4697e3e0c81b9b414273fbbe31452acb12f304556d4bf2fa69ba381a3821292162771 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe
| MD5 | f0831f173733de08511f3a0739f278a6 |
| SHA1 | 06dc809d653c5d2c97386084ae13b50a73eb5b60 |
| SHA256 | 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27 |
| SHA512 | 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uL08WU1.exe
| MD5 | f0831f173733de08511f3a0739f278a6 |
| SHA1 | 06dc809d653c5d2c97386084ae13b50a73eb5b60 |
| SHA256 | 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27 |
| SHA512 | 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3 |
memory/1224-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1224-36-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1224-37-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1224-39-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe
| MD5 | d18946f32be537ad35f153f222ebb436 |
| SHA1 | b82bb1ff48155a437fdd2bac49bee6972a137f3a |
| SHA256 | 1607f0ac47c36cdff11a395d07240fabc26b9c91383ebebad4825a05c32f5e8c |
| SHA512 | d506fa4235fd799e356c3a989166a344d3500c0c73c3094c34b7bf797feec492c4c955393ae535ff0ada7002d049eb61f698caf237ad1af1b1297a5cbbeae554 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sg394AL.exe
| MD5 | d18946f32be537ad35f153f222ebb436 |
| SHA1 | b82bb1ff48155a437fdd2bac49bee6972a137f3a |
| SHA256 | 1607f0ac47c36cdff11a395d07240fabc26b9c91383ebebad4825a05c32f5e8c |
| SHA512 | d506fa4235fd799e356c3a989166a344d3500c0c73c3094c34b7bf797feec492c4c955393ae535ff0ada7002d049eb61f698caf237ad1af1b1297a5cbbeae554 |
memory/3404-43-0x0000000000790000-0x00000000007CE000-memory.dmp
memory/3404-44-0x0000000073DE0000-0x0000000074590000-memory.dmp
memory/3404-45-0x0000000007AC0000-0x0000000008064000-memory.dmp
memory/3404-46-0x00000000075B0000-0x0000000007642000-memory.dmp
memory/3404-47-0x00000000077E0000-0x00000000077F0000-memory.dmp
memory/3404-48-0x0000000007570000-0x000000000757A000-memory.dmp
memory/3404-49-0x0000000008690000-0x0000000008CA8000-memory.dmp
memory/3404-50-0x0000000007900000-0x0000000007A0A000-memory.dmp
memory/3404-51-0x00000000077F0000-0x0000000007802000-memory.dmp
memory/3404-52-0x0000000007850000-0x000000000788C000-memory.dmp
memory/3404-53-0x0000000007890000-0x00000000078DC000-memory.dmp
memory/3404-54-0x0000000073DE0000-0x0000000074590000-memory.dmp
memory/3404-55-0x00000000077E0000-0x00000000077F0000-memory.dmp