Overview

overview

10

Static

static

3

NEAS.2f1d1...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2023 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.2f1d19f90db1a28d3c016371b2827e80.exe

  • Size

    399KB

  • MD5

    2f1d19f90db1a28d3c016371b2827e80

  • SHA1

    978c6313505dcd7ec1a86dbbb3ca8f40a0d9db13

  • SHA256

    9bd64380f9fc0adef717f8f104d2ee9917a798a9d4ac1034fa716ac47ff08dce

  • SHA512

    3b7a8cbe80109dc9b97e5c54e5bb1288017bfe41d765c4d865a88584815ee1ffdf44b092672f78bcf16fae6cc96fe14370051e29cc70495e80a01dc4161331ee

  • SSDEEP

    6144:Kpy+bnr+Z1p0yN90QEHOoHZHQUEn7epJEGb8r2gxhWoqnrRa2uADXwJIExqrlRvi:nMrDy90RhK7g9b0FHOnNXgy/pt1M

Score
10/10
mysticredlinegruhainfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

gruha

C2

77.91.124.55:19071

Attributes
  • auth_value

    2f4cf2e668a540e64775b27535cc6892

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.2f1d19f90db1a28d3c016371b2827e80.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.2f1d19f90db1a28d3c016371b2827e80.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7989047.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7989047.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 540
            4⤵
            • Program crash
            PID:3360
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 596
          3⤵
          • Program crash
          PID:2672
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0963947.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0963947.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:5000
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 140
            3⤵
            • Program crash
            PID:3572
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3980 -ip 3980
        1⤵
          PID:4724
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2028 -ip 2028
          1⤵
            PID:3280
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4632 -ip 4632
            1⤵
              PID:3676
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
              1⤵
                PID:4856
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1520

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7989047.exe
                Filesize

                356KB

                MD5

                d0632a606309fdafdefb6725df4b365f

                SHA1

                0bb18d5be8302a4841987de5c903556d5bdc73ce

                SHA256

                a41f32c50f21676bd67e115b63644cbd4fcca351a674f7dcd24231ca7aa9fb50

                SHA512

                8fc215c86c2b5396df779d4aaad2b6c6fa2271ea1c6fcd090b47c4b2d2be9280eb54ced0fdeff3a64ca265457bc2fce540683b9c74a85120332c3620e3e80a7e

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7989047.exe
                Filesize

                356KB

                MD5

                d0632a606309fdafdefb6725df4b365f

                SHA1

                0bb18d5be8302a4841987de5c903556d5bdc73ce

                SHA256

                a41f32c50f21676bd67e115b63644cbd4fcca351a674f7dcd24231ca7aa9fb50

                SHA512

                8fc215c86c2b5396df779d4aaad2b6c6fa2271ea1c6fcd090b47c4b2d2be9280eb54ced0fdeff3a64ca265457bc2fce540683b9c74a85120332c3620e3e80a7e

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0963947.exe
                Filesize

                390KB

                MD5

                9821a31de4b7f341eb93d3589ed53270

                SHA1

                1c3c27b975c3d2958f3ab8e66bc66d239f9f1244

                SHA256

                c9878e544002e30a3c3a551b1edf8a50129fe96f793c458f4c1948f45e71b73f

                SHA512

                9b8f2da4d63ed61a12ae8ae8d67724f9f9e6b6c07350d54b0b9d4e62b4b99a356baf0aa6514ff1f393c8e3667b2df07f424a086850e8e94156845bedef0f1869

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s0963947.exe
                Filesize

                390KB

                MD5

                9821a31de4b7f341eb93d3589ed53270

                SHA1

                1c3c27b975c3d2958f3ab8e66bc66d239f9f1244

                SHA256

                c9878e544002e30a3c3a551b1edf8a50129fe96f793c458f4c1948f45e71b73f

                SHA512

                9b8f2da4d63ed61a12ae8ae8d67724f9f9e6b6c07350d54b0b9d4e62b4b99a356baf0aa6514ff1f393c8e3667b2df07f424a086850e8e94156845bedef0f1869

                Download Submit
              • memory/1520-67-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-69-0x000001C8235F0000-0x000001C8235F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-94-0x000001C823840000-0x000001C823841000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-59-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-60-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-92-0x000001C823730000-0x000001C823731000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-90-0x000001C823720000-0x000001C823721000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-78-0x000001C823520000-0x000001C823521000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-75-0x000001C8235E0000-0x000001C8235E1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-72-0x000001C8235F0000-0x000001C8235F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-70-0x000001C8235E0000-0x000001C8235E1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-68-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-66-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-65-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-64-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-26-0x000001C81B2B0000-0x000001C81B2C0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1520-42-0x000001C81B3B0000-0x000001C81B3C0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1520-58-0x000001C8239A0000-0x000001C8239A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-63-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-93-0x000001C823730000-0x000001C823731000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-62-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1520-61-0x000001C8239C0000-0x000001C8239C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2028-7-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/2028-9-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/2028-11-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/2028-8-0x0000000000400000-0x0000000000428000-memory.dmp
                Filesize

                160KB

                Download
              • memory/5000-22-0x0000000005AC0000-0x0000000005AFC000-memory.dmp
                Filesize

                240KB

                Download
              • memory/5000-21-0x0000000005A50000-0x0000000005A62000-memory.dmp
                Filesize

                72KB

                Download
              • memory/5000-24-0x00000000743F0000-0x0000000074BA0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/5000-23-0x0000000005B10000-0x0000000005B5C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/5000-20-0x0000000005AB0000-0x0000000005AC0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5000-19-0x0000000005BD0000-0x0000000005CDA000-memory.dmp
                Filesize

                1.0MB

                Download
              • memory/5000-18-0x00000000060E0000-0x00000000066F8000-memory.dmp
                Filesize

                6.1MB

                Download
              • memory/5000-17-0x0000000005A00000-0x0000000005A06000-memory.dmp
                Filesize

                24KB

                Download
              • memory/5000-16-0x00000000743F0000-0x0000000074BA0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/5000-15-0x0000000000400000-0x0000000000430000-memory.dmp
                Filesize

                192KB

                Download
              • memory/5000-25-0x0000000005AB0000-0x0000000005AC0000-memory.dmp
                Filesize

                64KB

                Download