Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2.exe
Resource
win10v2004-20230915-en
General
-
Target
301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2.exe
-
Size
1.2MB
-
MD5
4ba30a08673fd97bcaeb27d725be1d2b
-
SHA1
9b5386126bd576af3af8aa7ae6e0475db49a11a9
-
SHA256
301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2
-
SHA512
733d3f779a5e29f48acfcfb9bf3c677884bba0926b05567ca2fc83b93f90539ba3667530218409a0ebfe52d22055d55f64ce39e29283e59056c7f08c8ac83243
-
SSDEEP
24576:XyO7T9Em/2HLhKM4mO+6YW+01hdA/KgMHdDVM5Ferg:iO72HLhhD6BFQKlHdDVM5Mr
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3176-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3176-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3176-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral1/memory/3176-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x00080000000231eb-41.dat family_redline behavioral1/files/0x00080000000231eb-42.dat family_redline behavioral1/memory/4292-43-0x0000000000430000-0x000000000046E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1644 wO8Aq2lq.exe 4500 na6tL7Pn.exe 1664 GZ3NJ9gf.exe 3460 Zj9SX3Gs.exe 2420 1HH11RY2.exe 4292 2Hf972PA.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" wO8Aq2lq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" na6tL7Pn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" GZ3NJ9gf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" Zj9SX3Gs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2420 set thread context of 3176 2420 1HH11RY2.exe 95 -
Program crash 2 IoCs
pid pid_target Process procid_target 4748 3176 WerFault.exe 95 1960 2420 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3540 wrote to memory of 1644 3540 301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2.exe 87 PID 3540 wrote to memory of 1644 3540 301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2.exe 87 PID 3540 wrote to memory of 1644 3540 301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2.exe 87 PID 1644 wrote to memory of 4500 1644 wO8Aq2lq.exe 88 PID 1644 wrote to memory of 4500 1644 wO8Aq2lq.exe 88 PID 1644 wrote to memory of 4500 1644 wO8Aq2lq.exe 88 PID 4500 wrote to memory of 1664 4500 na6tL7Pn.exe 89 PID 4500 wrote to memory of 1664 4500 na6tL7Pn.exe 89 PID 4500 wrote to memory of 1664 4500 na6tL7Pn.exe 89 PID 1664 wrote to memory of 3460 1664 GZ3NJ9gf.exe 90 PID 1664 wrote to memory of 3460 1664 GZ3NJ9gf.exe 90 PID 1664 wrote to memory of 3460 1664 GZ3NJ9gf.exe 90 PID 3460 wrote to memory of 2420 3460 Zj9SX3Gs.exe 91 PID 3460 wrote to memory of 2420 3460 Zj9SX3Gs.exe 91 PID 3460 wrote to memory of 2420 3460 Zj9SX3Gs.exe 91 PID 2420 wrote to memory of 2368 2420 1HH11RY2.exe 93 PID 2420 wrote to memory of 2368 2420 1HH11RY2.exe 93 PID 2420 wrote to memory of 2368 2420 1HH11RY2.exe 93 PID 2420 wrote to memory of 4912 2420 1HH11RY2.exe 94 PID 2420 wrote to memory of 4912 2420 1HH11RY2.exe 94 PID 2420 wrote to memory of 4912 2420 1HH11RY2.exe 94 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 2420 wrote to memory of 3176 2420 1HH11RY2.exe 95 PID 3460 wrote to memory of 4292 3460 Zj9SX3Gs.exe 100 PID 3460 wrote to memory of 4292 3460 Zj9SX3Gs.exe 100 PID 3460 wrote to memory of 4292 3460 Zj9SX3Gs.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2.exe"C:\Users\Admin\AppData\Local\Temp\301dab91222f7ec5df8ac2e0b92a8a671697e53c29e55f14ad84643cc48bbed2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO8Aq2lq.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wO8Aq2lq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\na6tL7Pn.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\na6tL7Pn.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ3NJ9gf.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GZ3NJ9gf.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj9SX3Gs.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zj9SX3Gs.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HH11RY2.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HH11RY2.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4912
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 5408⤵
- Program crash
PID:4748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 6087⤵
- Program crash
PID:1960
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hf972PA.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hf972PA.exe6⤵
- Executes dropped EXE
PID:4292
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2420 -ip 24201⤵PID:4508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3176 -ip 31761⤵PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5f3e5abe7edeba1eed973bd079976ac1b
SHA17f7637334c5da8dd6c1f608cd395d46df7c39642
SHA2565a15203c1e5951cf9d4a97749c31308ba0ddb3c122f22ff089b3cfadc571892f
SHA51262bbf66f3c2f469a45344b4d9cc99bee8f7bf617a26e3824fabd90110df468edcffad3314f2bec05c90521bda54e170c0886b2ec90c9bfd7ed7ab163524db77a
-
Filesize
1.0MB
MD5f3e5abe7edeba1eed973bd079976ac1b
SHA17f7637334c5da8dd6c1f608cd395d46df7c39642
SHA2565a15203c1e5951cf9d4a97749c31308ba0ddb3c122f22ff089b3cfadc571892f
SHA51262bbf66f3c2f469a45344b4d9cc99bee8f7bf617a26e3824fabd90110df468edcffad3314f2bec05c90521bda54e170c0886b2ec90c9bfd7ed7ab163524db77a
-
Filesize
885KB
MD583ab5b39ec2fcd55d695697e373cb55c
SHA1593b5b65f6da80b620b6fc14c2e6f0f893172baf
SHA256bbde4eb06fba00c9cfd38f849ecf86ae550c6f1dd4f0824798952e52636ec6bb
SHA512d969bb28699958848f3e8555dafc2f47eb3428fc5c8a1d92709e202304cf23f051a4f0c55d3d4f6cb7867b31d42049e21f1a6a7bccc86558855965cc06bc4956
-
Filesize
885KB
MD583ab5b39ec2fcd55d695697e373cb55c
SHA1593b5b65f6da80b620b6fc14c2e6f0f893172baf
SHA256bbde4eb06fba00c9cfd38f849ecf86ae550c6f1dd4f0824798952e52636ec6bb
SHA512d969bb28699958848f3e8555dafc2f47eb3428fc5c8a1d92709e202304cf23f051a4f0c55d3d4f6cb7867b31d42049e21f1a6a7bccc86558855965cc06bc4956
-
Filesize
590KB
MD5dd8c0898d75aa76eceb7f1a33be85708
SHA10c78577787cf4f0c83d005afaf70cbd65fbfc3c6
SHA2560b8b7638a7bdb7de88011143da1f276110c5f108bcf8a4f0b8da81234f7a5fae
SHA5129b3a3744d4678fa397977ba52e5400a790a7ef1f22906da8d93872edeaad0019b89905b0bb80de2898961e40efa323c700c863b0751e72b4e75cf43882554dc4
-
Filesize
590KB
MD5dd8c0898d75aa76eceb7f1a33be85708
SHA10c78577787cf4f0c83d005afaf70cbd65fbfc3c6
SHA2560b8b7638a7bdb7de88011143da1f276110c5f108bcf8a4f0b8da81234f7a5fae
SHA5129b3a3744d4678fa397977ba52e5400a790a7ef1f22906da8d93872edeaad0019b89905b0bb80de2898961e40efa323c700c863b0751e72b4e75cf43882554dc4
-
Filesize
417KB
MD5e7dba880314e9f98816aa24b7319f532
SHA1614373b62f25636d1f4f89ad4960300b9bed7b26
SHA256ec53a9d3d894367786306e87248b550ecaae629cc97e8a2540861f9553a85a0c
SHA5125368f75943eea01a3056a8e7d2f46c4c795ebc29bb7b9d3cf4ce182f5b0e2b69d9be1b373da24efbea4a829cf4d9afe01c5dc85ffc5ae68f84a50e6b0dd568bd
-
Filesize
417KB
MD5e7dba880314e9f98816aa24b7319f532
SHA1614373b62f25636d1f4f89ad4960300b9bed7b26
SHA256ec53a9d3d894367786306e87248b550ecaae629cc97e8a2540861f9553a85a0c
SHA5125368f75943eea01a3056a8e7d2f46c4c795ebc29bb7b9d3cf4ce182f5b0e2b69d9be1b373da24efbea4a829cf4d9afe01c5dc85ffc5ae68f84a50e6b0dd568bd
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
231KB
MD592ef0d09e9f6c105cf16d9e22d4c98fe
SHA13fc8699c738c94b66ccf8269ec3c1b67613e2b64
SHA256ba34a9737f2006969b525bb929aa1b8b714c9d344332c31b9c76d480be791e21
SHA512139c7321f27b03dfbbe1ecd09275bca0b7a7c6c28bbb6a5b0b2859cd598578623129ae92e79a3246db16cb8c53eaf4c05d1a5ca7e7ab4575053718c946e3d645
-
Filesize
231KB
MD592ef0d09e9f6c105cf16d9e22d4c98fe
SHA13fc8699c738c94b66ccf8269ec3c1b67613e2b64
SHA256ba34a9737f2006969b525bb929aa1b8b714c9d344332c31b9c76d480be791e21
SHA512139c7321f27b03dfbbe1ecd09275bca0b7a7c6c28bbb6a5b0b2859cd598578623129ae92e79a3246db16cb8c53eaf4c05d1a5ca7e7ab4575053718c946e3d645