Analysis
-
max time kernel
183s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 02:21
Static task
static1
Behavioral task
behavioral1
Sample
eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe
Resource
win10v2004-20231023-en
General
-
Target
eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe
-
Size
511KB
-
MD5
cacd315838b8fc3927e26523640b7b97
-
SHA1
01ad0e9e03b2ded6712e12b4ef096a63a6b3164c
-
SHA256
eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852
-
SHA512
767ed1e0b60e65d7ba9d954e57e16a4a4f8c2e6cba7d674add73723a66ab066676c6ebde6466173231c77bc928e493e73d9d77eb8d2f5cea9c7b548ce03794fa
-
SSDEEP
12288:1Mrny90IWrL4ybciKsyFgMJZeKBmjpRGjjGaUaRN:6yP7ybKdZBBwAjjbUaRN
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/932-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/932-15-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/932-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/932-18-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/3752-22-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation 5ij23CS.exe -
Executes dropped EXE 4 IoCs
pid Process 4024 xI8DM66.exe 4352 3VN703OC.exe 1160 4Cf8MX0.exe 3376 5ij23CS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" xI8DM66.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4352 set thread context of 932 4352 3VN703OC.exe 89 PID 1160 set thread context of 3752 1160 4Cf8MX0.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2496 932 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1464 wrote to memory of 4024 1464 eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe 86 PID 1464 wrote to memory of 4024 1464 eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe 86 PID 1464 wrote to memory of 4024 1464 eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe 86 PID 4024 wrote to memory of 4352 4024 xI8DM66.exe 87 PID 4024 wrote to memory of 4352 4024 xI8DM66.exe 87 PID 4024 wrote to memory of 4352 4024 xI8DM66.exe 87 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4352 wrote to memory of 932 4352 3VN703OC.exe 89 PID 4024 wrote to memory of 1160 4024 xI8DM66.exe 92 PID 4024 wrote to memory of 1160 4024 xI8DM66.exe 92 PID 4024 wrote to memory of 1160 4024 xI8DM66.exe 92 PID 1160 wrote to memory of 3752 1160 4Cf8MX0.exe 95 PID 1160 wrote to memory of 3752 1160 4Cf8MX0.exe 95 PID 1160 wrote to memory of 3752 1160 4Cf8MX0.exe 95 PID 1160 wrote to memory of 3752 1160 4Cf8MX0.exe 95 PID 1160 wrote to memory of 3752 1160 4Cf8MX0.exe 95 PID 1160 wrote to memory of 3752 1160 4Cf8MX0.exe 95 PID 1160 wrote to memory of 3752 1160 4Cf8MX0.exe 95 PID 1160 wrote to memory of 3752 1160 4Cf8MX0.exe 95 PID 1464 wrote to memory of 3376 1464 eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe 96 PID 1464 wrote to memory of 3376 1464 eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe 96 PID 1464 wrote to memory of 3376 1464 eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe 96 PID 3376 wrote to memory of 4968 3376 5ij23CS.exe 101 PID 3376 wrote to memory of 4968 3376 5ij23CS.exe 101 PID 3376 wrote to memory of 4968 3376 5ij23CS.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe"C:\Users\Admin\AppData\Local\Temp\eb556e24e841ba2f8498189a37e9529fc8e0951fb48078ff5a3d2aa47cf9a852.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xI8DM66.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xI8DM66.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3VN703OC.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3VN703OC.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 5405⤵
- Program crash
PID:2496
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cf8MX0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cf8MX0.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3752
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ij23CS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ij23CS.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "3⤵PID:4968
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 932 -ip 9321⤵PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5dacbe26fc94fc34f86b16e8015d6f988
SHA158a17bcaeba447fa81afaaa6091eb7e2967eb3cf
SHA2560727269dd19593bcbd5aca69969512dde14cfd56da08ecf5e6487193ec065c17
SHA512fc7eb5dab63101eca7c987a165f44e8a98306dcd1228ae3c5667d4c69c831fe9b11ee55420693d3a98cfd3adda241731db6943470ed894a88e84c9cad181d9ce
-
Filesize
73KB
MD5dacbe26fc94fc34f86b16e8015d6f988
SHA158a17bcaeba447fa81afaaa6091eb7e2967eb3cf
SHA2560727269dd19593bcbd5aca69969512dde14cfd56da08ecf5e6487193ec065c17
SHA512fc7eb5dab63101eca7c987a165f44e8a98306dcd1228ae3c5667d4c69c831fe9b11ee55420693d3a98cfd3adda241731db6943470ed894a88e84c9cad181d9ce
-
Filesize
388KB
MD58d13b07a05306fed25159798c62ac145
SHA1df62d144852732d567ce1618f8dd3de1d6b7bdda
SHA2563ff50e74a3dfea74e73abf706d58a012356df7434050e8ce1ad9dd98eac15fe5
SHA512e6105f933d3167a78236d28011c2d3bf60034c0de591ba40f1c587b8ea9d8599b87342287e26bcdfe5d62be44155830a55a2fc4e34ea512593f215c5c7bb6211
-
Filesize
388KB
MD58d13b07a05306fed25159798c62ac145
SHA1df62d144852732d567ce1618f8dd3de1d6b7bdda
SHA2563ff50e74a3dfea74e73abf706d58a012356df7434050e8ce1ad9dd98eac15fe5
SHA512e6105f933d3167a78236d28011c2d3bf60034c0de591ba40f1c587b8ea9d8599b87342287e26bcdfe5d62be44155830a55a2fc4e34ea512593f215c5c7bb6211
-
Filesize
300KB
MD5696b39c55412cbdf3609d691f045d0e0
SHA1fb24b9ceab07fb70749c1de6eae4d247f34631df
SHA25635034d917a5fabffd8159825c6272ec8b65120b03dd25790594192c7f9dfb3e1
SHA5127b10670ff4336ad56b80a5bc7e87aed6d242d9eafbaf59e89525f4486d3ceba1113c52095a932b9fd426631265285d877b8f2b0795eb0ca04503334ec93d735c
-
Filesize
300KB
MD5696b39c55412cbdf3609d691f045d0e0
SHA1fb24b9ceab07fb70749c1de6eae4d247f34631df
SHA25635034d917a5fabffd8159825c6272ec8b65120b03dd25790594192c7f9dfb3e1
SHA5127b10670ff4336ad56b80a5bc7e87aed6d242d9eafbaf59e89525f4486d3ceba1113c52095a932b9fd426631265285d877b8f2b0795eb0ca04503334ec93d735c
-
Filesize
339KB
MD5738263df8661b80f2c518532daaadbc4
SHA170bde4fa00e400b180cd01daf29648d188d29f40
SHA256ae22fc4ee221ed5970f0bc4fbe049fc93bd0019982255fa64f60b6fbbc48f35b
SHA51273da54d165842a91de4eedab383273fff3c538ffdae2271969343a1fe8c1d67db3d509c700c9308db9456c212dbe674a8ae9d2b5b1519e99c78a1b84ac3c3fe8
-
Filesize
339KB
MD5738263df8661b80f2c518532daaadbc4
SHA170bde4fa00e400b180cd01daf29648d188d29f40
SHA256ae22fc4ee221ed5970f0bc4fbe049fc93bd0019982255fa64f60b6fbbc48f35b
SHA51273da54d165842a91de4eedab383273fff3c538ffdae2271969343a1fe8c1d67db3d509c700c9308db9456c212dbe674a8ae9d2b5b1519e99c78a1b84ac3c3fe8
-
Filesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74