Analysis
-
max time kernel
225s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 10:03
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe
-
Size
522KB
-
MD5
7537c3ebfeb1f256894ec554d8503b57
-
SHA1
e6e315efb32712299144b64845bc82076da02df0
-
SHA256
691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594
-
SHA512
557af935244a3595f56697e5726ede242a72b78f0c7a83ddf4540d537d9c9afab0bed87d3d64bff07ca77f8243cca7f0a2b1de1285c7d1e09723a7222d6b81a2
-
SSDEEP
12288:KMrly90wwkQjMS6ckV5RXnhN3QFhqAePmjFISFazxB:Py8johV5RYF3ePmCQa1B
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3708-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3708-15-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3708-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3708-20-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4164-22-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5xl24uw.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation 5xl24uw.exe -
Executes dropped EXE 4 IoCs
Processes:
Cz2VK87.exe3fB893Zd.exe4Di4Zi4.exe5xl24uw.exepid Process 4220 Cz2VK87.exe 1384 3fB893Zd.exe 1996 4Di4Zi4.exe 4708 5xl24uw.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exeCz2VK87.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Cz2VK87.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3fB893Zd.exe4Di4Zi4.exedescription pid Process procid_target PID 1384 set thread context of 3708 1384 3fB893Zd.exe 92 PID 1996 set thread context of 4164 1996 4Di4Zi4.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1828 3708 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exeCz2VK87.exe3fB893Zd.exe4Di4Zi4.exe5xl24uw.exedescription pid Process procid_target PID 2188 wrote to memory of 4220 2188 NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe 87 PID 2188 wrote to memory of 4220 2188 NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe 87 PID 2188 wrote to memory of 4220 2188 NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe 87 PID 4220 wrote to memory of 1384 4220 Cz2VK87.exe 89 PID 4220 wrote to memory of 1384 4220 Cz2VK87.exe 89 PID 4220 wrote to memory of 1384 4220 Cz2VK87.exe 89 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 1384 wrote to memory of 3708 1384 3fB893Zd.exe 92 PID 4220 wrote to memory of 1996 4220 Cz2VK87.exe 94 PID 4220 wrote to memory of 1996 4220 Cz2VK87.exe 94 PID 4220 wrote to memory of 1996 4220 Cz2VK87.exe 94 PID 1996 wrote to memory of 4164 1996 4Di4Zi4.exe 99 PID 1996 wrote to memory of 4164 1996 4Di4Zi4.exe 99 PID 1996 wrote to memory of 4164 1996 4Di4Zi4.exe 99 PID 1996 wrote to memory of 4164 1996 4Di4Zi4.exe 99 PID 1996 wrote to memory of 4164 1996 4Di4Zi4.exe 99 PID 1996 wrote to memory of 4164 1996 4Di4Zi4.exe 99 PID 1996 wrote to memory of 4164 1996 4Di4Zi4.exe 99 PID 1996 wrote to memory of 4164 1996 4Di4Zi4.exe 99 PID 2188 wrote to memory of 4708 2188 NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe 101 PID 2188 wrote to memory of 4708 2188 NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe 101 PID 2188 wrote to memory of 4708 2188 NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe 101 PID 4708 wrote to memory of 3132 4708 5xl24uw.exe 108 PID 4708 wrote to memory of 3132 4708 5xl24uw.exe 108 PID 4708 wrote to memory of 3132 4708 5xl24uw.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.691b962af15936456c9f97a6aca492e4ca229899b68ca4b3517ab42b8f7a0594.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cz2VK87.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3fB893Zd.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 5405⤵
- Program crash
PID:1828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Di4Zi4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4164
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xl24uw.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "3⤵PID:3132
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3708 -ip 37081⤵PID:552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD550705322736ed8099196eb4e6ce664d0
SHA1aa633d48071c9e8505ef3d26c3139d519195add7
SHA25614d2eb3be008fdf0d2f908245b11a2946dda26fa767d1b01ae43d1a090553ca2
SHA5126d72a72b3ab2b154250462b329fe88bbac4d0b4ee8f0c62e6e871a9a37ab69ea02160083ebe128b2c161cd1da662f710585c06d7f1b5abb359410c8d2df53231
-
Filesize
73KB
MD550705322736ed8099196eb4e6ce664d0
SHA1aa633d48071c9e8505ef3d26c3139d519195add7
SHA25614d2eb3be008fdf0d2f908245b11a2946dda26fa767d1b01ae43d1a090553ca2
SHA5126d72a72b3ab2b154250462b329fe88bbac4d0b4ee8f0c62e6e871a9a37ab69ea02160083ebe128b2c161cd1da662f710585c06d7f1b5abb359410c8d2df53231
-
Filesize
400KB
MD5610e1133a76ebd35d98e3135e0c327b0
SHA1187bf9f5b655eaf8cb7d3ede21007af721b7d684
SHA256f549e334d72f3ca01d4dc2d938c0f0ea236dc2657e357132e924bbe8ad953821
SHA5123b885be010b98373262ee9b5ecb531c97cded193a83821b6de8976e4ae971fa8bab3053b99d5fb6eb184b8a301e981fb2344e07acff213fcae4a9deb818fea94
-
Filesize
400KB
MD5610e1133a76ebd35d98e3135e0c327b0
SHA1187bf9f5b655eaf8cb7d3ede21007af721b7d684
SHA256f549e334d72f3ca01d4dc2d938c0f0ea236dc2657e357132e924bbe8ad953821
SHA5123b885be010b98373262ee9b5ecb531c97cded193a83821b6de8976e4ae971fa8bab3053b99d5fb6eb184b8a301e981fb2344e07acff213fcae4a9deb818fea94
-
Filesize
319KB
MD5819e6388ccec6d47b9dfb7bf0756d6c9
SHA117833be2c50c81b74cba89933b9580e18d0dae4e
SHA2564c9dc67e337bc91d73e84e7e6ee7151490fb1b43e945055b36934e03e6e97343
SHA512b4de99eba6c76cc99400f1e6c18116965c071321575fef91966415280f34f498f302702a11ac536b9f789ea86d8e22b6acb692da94721b67517c0bd2e68d554c
-
Filesize
319KB
MD5819e6388ccec6d47b9dfb7bf0756d6c9
SHA117833be2c50c81b74cba89933b9580e18d0dae4e
SHA2564c9dc67e337bc91d73e84e7e6ee7151490fb1b43e945055b36934e03e6e97343
SHA512b4de99eba6c76cc99400f1e6c18116965c071321575fef91966415280f34f498f302702a11ac536b9f789ea86d8e22b6acb692da94721b67517c0bd2e68d554c
-
Filesize
358KB
MD5ad6cfdecee19f2020682d0403e7a3ccd
SHA19c73edd78a901b3b1fd30991f67022b0c068f75b
SHA25615e38af8a4cac2ce2af8a0cb68a071bd30b5cdc26a694c3eb14e20ca451d2dc2
SHA5126e3b5a6a5b88a87401f80a8d05f970206345cda17d65ba4a08229725e149d19959906bb1def741bb2af90960ab983385ac7cba77e9ca792c2c058dcec4ac35a8
-
Filesize
358KB
MD5ad6cfdecee19f2020682d0403e7a3ccd
SHA19c73edd78a901b3b1fd30991f67022b0c068f75b
SHA25615e38af8a4cac2ce2af8a0cb68a071bd30b5cdc26a694c3eb14e20ca451d2dc2
SHA5126e3b5a6a5b88a87401f80a8d05f970206345cda17d65ba4a08229725e149d19959906bb1def741bb2af90960ab983385ac7cba77e9ca792c2c058dcec4ac35a8
-
Filesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74