Malware Analysis Report

2025-01-02 05:27

Sample ID 231111-jjncyade55
Target 1c9ff9394f050e641023445185ab7f78.exe
SHA256 8fbb18ef24e9c8f05209909a7723fe076b478dde5b9385a1d23f0ad46a8751aa
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fbb18ef24e9c8f05209909a7723fe076b478dde5b9385a1d23f0ad46a8751aa

Threat Level: Known bad

The file 1c9ff9394f050e641023445185ab7f78.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 07:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 07:42

Reported

2023-11-11 07:45

Platform

win10v2004-20231020-en

Max time kernel

141s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe
PID 1880 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe
PID 1880 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe
PID 4888 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe
PID 4888 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe
PID 4888 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4996 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4888 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe
PID 4888 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe
PID 4888 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe
PID 3260 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1880 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe
PID 1880 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe
PID 1880 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe
PID 3108 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe

"C:\Users\Admin\AppData\Local\Temp\1c9ff9394f050e641023445185ab7f78.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3332 -ip 3332

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.43.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 52.111.227.11:443 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe

MD5 dbe67a258aa890850e016d987f0986dc
SHA1 30dbd6c6fcf40c9b3488c5c02f223beaf0b2e14a
SHA256 7724e34340a92534ad0ca04c0206ac0f372b12b3333fa18bd4d0456687eeb433
SHA512 c615f03268eba6176a51b7789ddc7ab860af004d98bcc8c66f8c0cdd4a22cc7f538d5a5fa92a0d1f5eed1545f0971310823de52db9f17bb50c56a114b905680d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nA7fv67.exe

MD5 dbe67a258aa890850e016d987f0986dc
SHA1 30dbd6c6fcf40c9b3488c5c02f223beaf0b2e14a
SHA256 7724e34340a92534ad0ca04c0206ac0f372b12b3333fa18bd4d0456687eeb433
SHA512 c615f03268eba6176a51b7789ddc7ab860af004d98bcc8c66f8c0cdd4a22cc7f538d5a5fa92a0d1f5eed1545f0971310823de52db9f17bb50c56a114b905680d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe

MD5 afea8784f4793fbbc8fb24dabf312276
SHA1 c4b4f92896eb0d8e45ce6a677f3f72d2801abb86
SHA256 2f8a55664928402de50f217b676308b2336da6a1889d66c0f50320321634f587
SHA512 923be884c5e0da3b718c06f0d1f105c37bc19b698da5fcb97d6e4907f8f3da8b88c870cec74d7409b324aba0bdd3e4b1781cc30aa8ebb41b6aab0e5ba03ac0bd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1zd96lj0.exe

MD5 afea8784f4793fbbc8fb24dabf312276
SHA1 c4b4f92896eb0d8e45ce6a677f3f72d2801abb86
SHA256 2f8a55664928402de50f217b676308b2336da6a1889d66c0f50320321634f587
SHA512 923be884c5e0da3b718c06f0d1f105c37bc19b698da5fcb97d6e4907f8f3da8b88c870cec74d7409b324aba0bdd3e4b1781cc30aa8ebb41b6aab0e5ba03ac0bd

memory/3332-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3332-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3332-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3332-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe

MD5 d706b44439184373b314c2f2e1012167
SHA1 36b7487ab876ef2699f2edb0e323c992aa675242
SHA256 61db01590e9ff5ebc08a056ab07fd1d64bd0e843bcfcd86254b4cfeb2038028d
SHA512 28fc774e81733b3989a605384cac88eece80b03c0ef77c02d7b110d2002f353f0dfd8cfdfcb149e3eb210f21a759f67f108b0379b78588ad158fe9c0d9b99b02

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2no5904.exe

MD5 d706b44439184373b314c2f2e1012167
SHA1 36b7487ab876ef2699f2edb0e323c992aa675242
SHA256 61db01590e9ff5ebc08a056ab07fd1d64bd0e843bcfcd86254b4cfeb2038028d
SHA512 28fc774e81733b3989a605384cac88eece80b03c0ef77c02d7b110d2002f353f0dfd8cfdfcb149e3eb210f21a759f67f108b0379b78588ad158fe9c0d9b99b02

memory/1420-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe

MD5 82d21a543712b292f22f4d02cf6528f4
SHA1 58eb308b9429ca32447ef49a563e3343f4cc3bbd
SHA256 474cd0a04f9209ea2e8b17c440eeef537ee7ed7df8c7f9366be03659a3bf30d3
SHA512 8754e48a75cd3f37a04411a8e072990aefd699f28fa958bc31c000e15dd188d7078d576abf5565156e7a68d3c6fab0f081c5a65a2af56fe1bfe71f3c8e3b1b49

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Od9SY95.exe

MD5 82d21a543712b292f22f4d02cf6528f4
SHA1 58eb308b9429ca32447ef49a563e3343f4cc3bbd
SHA256 474cd0a04f9209ea2e8b17c440eeef537ee7ed7df8c7f9366be03659a3bf30d3
SHA512 8754e48a75cd3f37a04411a8e072990aefd699f28fa958bc31c000e15dd188d7078d576abf5565156e7a68d3c6fab0f081c5a65a2af56fe1bfe71f3c8e3b1b49

memory/1420-28-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/1420-30-0x0000000007480000-0x0000000007A24000-memory.dmp

memory/1420-31-0x0000000006F70000-0x0000000007002000-memory.dmp

memory/1420-33-0x0000000007190000-0x00000000071A0000-memory.dmp

memory/1420-34-0x0000000007110000-0x000000000711A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/1420-39-0x0000000008050000-0x0000000008668000-memory.dmp

memory/1420-40-0x00000000072D0000-0x00000000073DA000-memory.dmp

memory/1420-41-0x0000000007200000-0x0000000007212000-memory.dmp

memory/1420-42-0x0000000007260000-0x000000000729C000-memory.dmp

memory/1420-43-0x00000000073E0000-0x000000000742C000-memory.dmp

memory/1420-44-0x0000000073920000-0x00000000740D0000-memory.dmp

memory/1420-45-0x0000000007190000-0x00000000071A0000-memory.dmp