Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915_JC.exe
-
Size
1.2MB
-
MD5
abb7f8218366424a14a301054fc2ed57
-
SHA1
7f4884c03fa7103606b7ae4e2b90b1d2f133c6de
-
SHA256
78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915
-
SHA512
272a0dfe6d314f0c0d11b294e61ca295487883b2efea846182ed486d62463bfa26a315ee964d1591a91bdd69c8118ca5125cec6a1b9ed0fdc20e525a278ef947
-
SSDEEP
24576:jymuXXxHJ27jd+Rdmkr84+TVkhuBFTj+x3Cmo5bpr1gEJ2:2mun727R+vrr9A+xymGpr1P
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4624-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4624-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4624-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4624-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x00070000000230b9-41.dat family_redline behavioral2/files/0x00070000000230b9-42.dat family_redline behavioral2/memory/2552-44-0x0000000000270000-0x00000000002AE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1632 Yd0ce7ny.exe 4608 qY5EC2RY.exe 1720 lm7yb0Gr.exe 820 pp7ke4xk.exe 4024 1Ac90eU7.exe 2552 2MV608TZ.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Yd0ce7ny.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" qY5EC2RY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" lm7yb0Gr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" pp7ke4xk.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4024 set thread context of 4624 4024 1Ac90eU7.exe 95 -
Program crash 2 IoCs
pid pid_target Process procid_target 1724 4024 WerFault.exe 92 1316 4624 WerFault.exe 95 -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3732 wrote to memory of 1632 3732 NEAS.78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915_JC.exe 86 PID 3732 wrote to memory of 1632 3732 NEAS.78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915_JC.exe 86 PID 3732 wrote to memory of 1632 3732 NEAS.78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915_JC.exe 86 PID 1632 wrote to memory of 4608 1632 Yd0ce7ny.exe 87 PID 1632 wrote to memory of 4608 1632 Yd0ce7ny.exe 87 PID 1632 wrote to memory of 4608 1632 Yd0ce7ny.exe 87 PID 4608 wrote to memory of 1720 4608 qY5EC2RY.exe 88 PID 4608 wrote to memory of 1720 4608 qY5EC2RY.exe 88 PID 4608 wrote to memory of 1720 4608 qY5EC2RY.exe 88 PID 1720 wrote to memory of 820 1720 lm7yb0Gr.exe 91 PID 1720 wrote to memory of 820 1720 lm7yb0Gr.exe 91 PID 1720 wrote to memory of 820 1720 lm7yb0Gr.exe 91 PID 820 wrote to memory of 4024 820 pp7ke4xk.exe 92 PID 820 wrote to memory of 4024 820 pp7ke4xk.exe 92 PID 820 wrote to memory of 4024 820 pp7ke4xk.exe 92 PID 4024 wrote to memory of 3860 4024 1Ac90eU7.exe 94 PID 4024 wrote to memory of 3860 4024 1Ac90eU7.exe 94 PID 4024 wrote to memory of 3860 4024 1Ac90eU7.exe 94 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 4024 wrote to memory of 4624 4024 1Ac90eU7.exe 95 PID 820 wrote to memory of 2552 820 pp7ke4xk.exe 100 PID 820 wrote to memory of 2552 820 pp7ke4xk.exe 100 PID 820 wrote to memory of 2552 820 pp7ke4xk.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.78c241ee205336f9ce449c104b1ea7608d71c8489aa07f4f55a84ae6d27ce915_JC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yd0ce7ny.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yd0ce7ny.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qY5EC2RY.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qY5EC2RY.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lm7yb0Gr.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lm7yb0Gr.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pp7ke4xk.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pp7ke4xk.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ac90eU7.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ac90eU7.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 5408⤵
- Program crash
PID:1316
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1407⤵
- Program crash
PID:1724
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MV608TZ.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MV608TZ.exe6⤵
- Executes dropped EXE
PID:2552
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4024 -ip 40241⤵PID:3176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4624 -ip 46241⤵PID:4036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5a1c095e45a0b6da572598ef9c33f6089
SHA1e4bdb84695b0a9db2794c26564f6b3639265dcec
SHA2563dafd1c231623b4b65d76c167a8d92704983238cb4aed68a779360d8ef05123b
SHA5125a3c7b5b341acba103a323ea4478e2aac17d253505025b1e4a8ecdb261832374056bd929e0deae15bd07a20480b5df448d06e511ac3b5895709d852698bc700e
-
Filesize
1.0MB
MD5a1c095e45a0b6da572598ef9c33f6089
SHA1e4bdb84695b0a9db2794c26564f6b3639265dcec
SHA2563dafd1c231623b4b65d76c167a8d92704983238cb4aed68a779360d8ef05123b
SHA5125a3c7b5b341acba103a323ea4478e2aac17d253505025b1e4a8ecdb261832374056bd929e0deae15bd07a20480b5df448d06e511ac3b5895709d852698bc700e
-
Filesize
884KB
MD5ad819fd2029df5dd620823ced7b665b6
SHA1006a40c51bb81393ddc1b783094bbab02bdea40b
SHA2567046ce53a440d1b8b0d6e66b8318be07fbeb7247f7763edc9a80b4daf9b01bd5
SHA51275581eb0b5eb76bcbf813eb6e28a513fad3e10f6bef6c337ee72e7d7fb115539ef33d94ea16f6caade4e134042604db300edd6d819f6d6bef5f0108832889aa5
-
Filesize
884KB
MD5ad819fd2029df5dd620823ced7b665b6
SHA1006a40c51bb81393ddc1b783094bbab02bdea40b
SHA2567046ce53a440d1b8b0d6e66b8318be07fbeb7247f7763edc9a80b4daf9b01bd5
SHA51275581eb0b5eb76bcbf813eb6e28a513fad3e10f6bef6c337ee72e7d7fb115539ef33d94ea16f6caade4e134042604db300edd6d819f6d6bef5f0108832889aa5
-
Filesize
590KB
MD56ff6f59572e911314649d156c6548097
SHA19d05079ae5f8c2b84067a794e604ac8058daba79
SHA256ffe72c96ccd0a4387ccd3de954dd570103ef02596f61522622e2f064d44100fb
SHA5121503a6278bdbfb778e58842c0c793da7c604ddc4bd172809571880cd60b06b243c61e53596464fc5b9869418f3082c768e7a67270c21cf553cce35dcbf271166
-
Filesize
590KB
MD56ff6f59572e911314649d156c6548097
SHA19d05079ae5f8c2b84067a794e604ac8058daba79
SHA256ffe72c96ccd0a4387ccd3de954dd570103ef02596f61522622e2f064d44100fb
SHA5121503a6278bdbfb778e58842c0c793da7c604ddc4bd172809571880cd60b06b243c61e53596464fc5b9869418f3082c768e7a67270c21cf553cce35dcbf271166
-
Filesize
417KB
MD5b81c6566a86ba4a9e4306c26e5baa9c8
SHA1779b73cfedf3b57a76f864f1627aa0d29c794419
SHA2560febaf03222ad3abf0405f14154ae39df890f6bb73d6ad97bfe55901f9bdc434
SHA512a7321204f4125e40a2919f0a9db48493e52105eba6d408f5c0f495493e5bfe0a5a924f44b7d95899a21c0d0f6a4d7300c4fbd121477b49e9555ef8b3656002ec
-
Filesize
417KB
MD5b81c6566a86ba4a9e4306c26e5baa9c8
SHA1779b73cfedf3b57a76f864f1627aa0d29c794419
SHA2560febaf03222ad3abf0405f14154ae39df890f6bb73d6ad97bfe55901f9bdc434
SHA512a7321204f4125e40a2919f0a9db48493e52105eba6d408f5c0f495493e5bfe0a5a924f44b7d95899a21c0d0f6a4d7300c4fbd121477b49e9555ef8b3656002ec
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
231KB
MD5b5198d0881cbc6675de0d05fcbbd356d
SHA19c17c52f163b538f7cdd5fe93116fd5bd1d925bd
SHA2562a858f8b24732a5d84ff4f7fa0967e91f2c402ea5b6faeb8da76323834ea8c7c
SHA51232c605e0bf60658a89763063fe80dcbe836cc36964400002f7096f7c5d713460a64a6e871046bc3eb5db9ae53827ed29626ab860a94186dfe74202811b3201d2
-
Filesize
231KB
MD5b5198d0881cbc6675de0d05fcbbd356d
SHA19c17c52f163b538f7cdd5fe93116fd5bd1d925bd
SHA2562a858f8b24732a5d84ff4f7fa0967e91f2c402ea5b6faeb8da76323834ea8c7c
SHA51232c605e0bf60658a89763063fe80dcbe836cc36964400002f7096f7c5d713460a64a6e871046bc3eb5db9ae53827ed29626ab860a94186dfe74202811b3201d2