Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2023, 19:58
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win10v2004-20231023-en
General
-
Target
file.exe
-
Size
511KB
-
MD5
d043a2dad04b5edda2db944f4ce621f7
-
SHA1
2087ac8a835668bbbee974d591dc475e0449603d
-
SHA256
e3346fe08c979602e5adbc8c80c6b5356ecee04d8331fb626f3f9cf36235ea97
-
SHA512
808fedbad9a8c80c1f1c4b67980957d68bed56dbd1e972bfbac3b3eec059a1efb51af9185b49df57475d4f6a86668fba60bb28e327c73d1f91d43279e9965ac3
-
SSDEEP
12288:HMrcy90XSe30Rn+o29koY3bicsLg4NkvSLAno/931j:Tyve30QD9koYricsLgekuwo/9R
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/2400-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2400-15-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2400-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2400-18-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/224-22-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation 5Ie96xN.exe -
Executes dropped EXE 4 IoCs
pid Process 3144 wM4Bt15.exe 4312 3Wr483Tf.exe 2132 4kx6gY7.exe 4720 5Ie96xN.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" wM4Bt15.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4312 set thread context of 2400 4312 3Wr483Tf.exe 87 PID 2132 set thread context of 224 2132 4kx6gY7.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 384 2400 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 60 wrote to memory of 3144 60 file.exe 84 PID 60 wrote to memory of 3144 60 file.exe 84 PID 60 wrote to memory of 3144 60 file.exe 84 PID 3144 wrote to memory of 4312 3144 wM4Bt15.exe 85 PID 3144 wrote to memory of 4312 3144 wM4Bt15.exe 85 PID 3144 wrote to memory of 4312 3144 wM4Bt15.exe 85 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 4312 wrote to memory of 2400 4312 3Wr483Tf.exe 87 PID 3144 wrote to memory of 2132 3144 wM4Bt15.exe 90 PID 3144 wrote to memory of 2132 3144 wM4Bt15.exe 90 PID 3144 wrote to memory of 2132 3144 wM4Bt15.exe 90 PID 2132 wrote to memory of 4944 2132 4kx6gY7.exe 94 PID 2132 wrote to memory of 4944 2132 4kx6gY7.exe 94 PID 2132 wrote to memory of 4944 2132 4kx6gY7.exe 94 PID 2132 wrote to memory of 224 2132 4kx6gY7.exe 96 PID 2132 wrote to memory of 224 2132 4kx6gY7.exe 96 PID 2132 wrote to memory of 224 2132 4kx6gY7.exe 96 PID 2132 wrote to memory of 224 2132 4kx6gY7.exe 96 PID 2132 wrote to memory of 224 2132 4kx6gY7.exe 96 PID 2132 wrote to memory of 224 2132 4kx6gY7.exe 96 PID 2132 wrote to memory of 224 2132 4kx6gY7.exe 96 PID 2132 wrote to memory of 224 2132 4kx6gY7.exe 96 PID 60 wrote to memory of 4720 60 file.exe 97 PID 60 wrote to memory of 4720 60 file.exe 97 PID 60 wrote to memory of 4720 60 file.exe 97 PID 4720 wrote to memory of 2176 4720 5Ie96xN.exe 98 PID 4720 wrote to memory of 2176 4720 5Ie96xN.exe 98 PID 4720 wrote to memory of 2176 4720 5Ie96xN.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wM4Bt15.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Wr483Tf.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 5405⤵
- Program crash
PID:384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4kx6gY7.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:224
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ie96xN.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "3⤵PID:2176
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2400 -ip 24001⤵PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5bcbd3c60b750ac0cf9d69018df0e1771
SHA1eb5cc68ccee25af2f360e6223f9ce9745c03f9e1
SHA25629b78f3164bef67f5c7a2be8cfeb2c674ed387d8977536fa42de7ccd8149c4b9
SHA512cb5feff6c3f392ce1aa6d03e406b980f7dd684042092bb51f5eef4f8fedf88c3ea8c467c877cb1fd20797b9dcd69df23717978fd1f63b947f42a0bc94a946361
-
Filesize
73KB
MD5bcbd3c60b750ac0cf9d69018df0e1771
SHA1eb5cc68ccee25af2f360e6223f9ce9745c03f9e1
SHA25629b78f3164bef67f5c7a2be8cfeb2c674ed387d8977536fa42de7ccd8149c4b9
SHA512cb5feff6c3f392ce1aa6d03e406b980f7dd684042092bb51f5eef4f8fedf88c3ea8c467c877cb1fd20797b9dcd69df23717978fd1f63b947f42a0bc94a946361
-
Filesize
388KB
MD5730774dd62b888857f27803f348e69c5
SHA14489381fa8d64a437590e1bc8f4280ecf4829844
SHA2565be2a8e89e19b28d5b535f39dc343814287eb7d85f48babd803b84af5675de4c
SHA512e9d20a68944ae93626b1cb378dce3b9117b91dcac6fa38d84ef88939a0028a128635090a015caefc01a3fb19bed9569b44605c18d7e3caf10e47735b4f92d29b
-
Filesize
388KB
MD5730774dd62b888857f27803f348e69c5
SHA14489381fa8d64a437590e1bc8f4280ecf4829844
SHA2565be2a8e89e19b28d5b535f39dc343814287eb7d85f48babd803b84af5675de4c
SHA512e9d20a68944ae93626b1cb378dce3b9117b91dcac6fa38d84ef88939a0028a128635090a015caefc01a3fb19bed9569b44605c18d7e3caf10e47735b4f92d29b
-
Filesize
300KB
MD56fc14a9c635856701da0ef1d98da8e36
SHA150f1989c23df0b078cb2c23bf639800297b71707
SHA256750f7323e1dff4e8be12005177941334c86d48acbe7949cac30721f92b008da4
SHA51210013810726c61e01ab3a971b15321a0b7b29380d754587f39f6840b3059293c4d3b18c07a790c302a086c18466b47ab90bcd74ec2a5c9a70364bf524bd28497
-
Filesize
300KB
MD56fc14a9c635856701da0ef1d98da8e36
SHA150f1989c23df0b078cb2c23bf639800297b71707
SHA256750f7323e1dff4e8be12005177941334c86d48acbe7949cac30721f92b008da4
SHA51210013810726c61e01ab3a971b15321a0b7b29380d754587f39f6840b3059293c4d3b18c07a790c302a086c18466b47ab90bcd74ec2a5c9a70364bf524bd28497
-
Filesize
339KB
MD5e94d931a855236c7309d07d4b7d862ac
SHA143584d7ca607a4f80395883e4e51129524a49c4c
SHA256829c19597ba300dc91ae26d18591ea6d388d97c62d1a8929f3c10ecdfa6bf0aa
SHA512136a2be4bce598b7726dd5ec29b5aeb0a500ed466ac9bdc8e1a312de4dbb7beb7305999dd0b836afbd1219ded001444eea2b1c8e7f4f840aa3cf91439647a244
-
Filesize
339KB
MD5e94d931a855236c7309d07d4b7d862ac
SHA143584d7ca607a4f80395883e4e51129524a49c4c
SHA256829c19597ba300dc91ae26d18591ea6d388d97c62d1a8929f3c10ecdfa6bf0aa
SHA512136a2be4bce598b7726dd5ec29b5aeb0a500ed466ac9bdc8e1a312de4dbb7beb7305999dd0b836afbd1219ded001444eea2b1c8e7f4f840aa3cf91439647a244
-
Filesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74