Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 10:05
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe
-
Size
511KB
-
MD5
f5a714ad642a6d713d7238740abb022a
-
SHA1
6d352e474c006ef0bfca330921515be1d4c31664
-
SHA256
8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941
-
SHA512
2f785c2f0bed168e167a32e0bec02aefe7fdabf2f3b0599c6bea197a5f4994b8e8ebbfa4f2f262bef54213130164974f5dbfaa36655cc7238776d4e7a22024de
-
SSDEEP
12288:tMr7y902bBA+St/vIgwsrMkLCY8TUs2EuX+4+wSRQFw/xHj:CyBTSlA0rlCYSz2EuuUS+q/Zj
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1004-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1004-15-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1004-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1004-18-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4980-22-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5Ab83Pz.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation 5Ab83Pz.exe -
Executes dropped EXE 4 IoCs
Processes:
RD9kV38.exe3XJ945ru.exe4jm2Sl1.exe5Ab83Pz.exepid Process 228 RD9kV38.exe 3484 3XJ945ru.exe 1484 4jm2Sl1.exe 3772 5Ab83Pz.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exeRD9kV38.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" RD9kV38.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3XJ945ru.exe4jm2Sl1.exedescription pid Process procid_target PID 3484 set thread context of 1004 3484 3XJ945ru.exe 92 PID 1484 set thread context of 4980 1484 4jm2Sl1.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1140 1004 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exeRD9kV38.exe3XJ945ru.exe4jm2Sl1.exe5Ab83Pz.exedescription pid Process procid_target PID 3536 wrote to memory of 228 3536 NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe 86 PID 3536 wrote to memory of 228 3536 NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe 86 PID 3536 wrote to memory of 228 3536 NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe 86 PID 228 wrote to memory of 3484 228 RD9kV38.exe 87 PID 228 wrote to memory of 3484 228 RD9kV38.exe 87 PID 228 wrote to memory of 3484 228 RD9kV38.exe 87 PID 3484 wrote to memory of 320 3484 3XJ945ru.exe 90 PID 3484 wrote to memory of 320 3484 3XJ945ru.exe 90 PID 3484 wrote to memory of 320 3484 3XJ945ru.exe 90 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 3484 wrote to memory of 1004 3484 3XJ945ru.exe 92 PID 228 wrote to memory of 1484 228 RD9kV38.exe 95 PID 228 wrote to memory of 1484 228 RD9kV38.exe 95 PID 228 wrote to memory of 1484 228 RD9kV38.exe 95 PID 1484 wrote to memory of 2444 1484 4jm2Sl1.exe 98 PID 1484 wrote to memory of 2444 1484 4jm2Sl1.exe 98 PID 1484 wrote to memory of 2444 1484 4jm2Sl1.exe 98 PID 1484 wrote to memory of 4980 1484 4jm2Sl1.exe 99 PID 1484 wrote to memory of 4980 1484 4jm2Sl1.exe 99 PID 1484 wrote to memory of 4980 1484 4jm2Sl1.exe 99 PID 1484 wrote to memory of 4980 1484 4jm2Sl1.exe 99 PID 1484 wrote to memory of 4980 1484 4jm2Sl1.exe 99 PID 1484 wrote to memory of 4980 1484 4jm2Sl1.exe 99 PID 1484 wrote to memory of 4980 1484 4jm2Sl1.exe 99 PID 1484 wrote to memory of 4980 1484 4jm2Sl1.exe 99 PID 3536 wrote to memory of 3772 3536 NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe 101 PID 3536 wrote to memory of 3772 3536 NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe 101 PID 3536 wrote to memory of 3772 3536 NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe 101 PID 3772 wrote to memory of 2400 3772 5Ab83Pz.exe 103 PID 3772 wrote to memory of 2400 3772 5Ab83Pz.exe 103 PID 3772 wrote to memory of 2400 3772 5Ab83Pz.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.8e5d766de64770d88cdb55ac884a25e49726b72c0bbe7912cb52c8f578fc8941.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RD9kV38.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RD9kV38.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3XJ945ru.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3XJ945ru.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1004
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 5405⤵
- Program crash
PID:1140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4jm2Sl1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4jm2Sl1.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4980
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ab83Pz.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ab83Pz.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "3⤵PID:2400
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1004 -ip 10041⤵PID:864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5a61ca01064586ed8060e32190d2ee30c
SHA19cc56ed5345c7cc577bd366f8c1b755642c7eecc
SHA256906712803c648b27fbe4de937c3ac02f88304a07ee272a7e6713f95d4f5058d0
SHA512ae6d570f4dda1565f1debdd07da201ce1509e9fef1505fd0518910ebc74a862cc26f599cec07f3ee7e47366aa9a763c8ef2b01894d0645dc2bda03998059bf63
-
Filesize
73KB
MD5a61ca01064586ed8060e32190d2ee30c
SHA19cc56ed5345c7cc577bd366f8c1b755642c7eecc
SHA256906712803c648b27fbe4de937c3ac02f88304a07ee272a7e6713f95d4f5058d0
SHA512ae6d570f4dda1565f1debdd07da201ce1509e9fef1505fd0518910ebc74a862cc26f599cec07f3ee7e47366aa9a763c8ef2b01894d0645dc2bda03998059bf63
-
Filesize
389KB
MD59fd599dab087e8b324cd7a6831eaf281
SHA173bd07b12033306de581530196eb18513034f37b
SHA256f8e024b87d89d1aa2bdc6282db5aaee594e04564d93b0b4b57ab11bef5f05783
SHA51281efb50ac818444e84568cb753cf17c091c35feadaf4ccd0144b3228bef5635a19c60aef37eb1381d72c11df5ce6b96e05cbd59692fdda1a546bbf5f67f10709
-
Filesize
389KB
MD59fd599dab087e8b324cd7a6831eaf281
SHA173bd07b12033306de581530196eb18513034f37b
SHA256f8e024b87d89d1aa2bdc6282db5aaee594e04564d93b0b4b57ab11bef5f05783
SHA51281efb50ac818444e84568cb753cf17c091c35feadaf4ccd0144b3228bef5635a19c60aef37eb1381d72c11df5ce6b96e05cbd59692fdda1a546bbf5f67f10709
-
Filesize
300KB
MD5784667bb96ccb30c4cf44f2c5f493769
SHA128185165ab4dbbb4a139ae1af0bb6934ebe05c04
SHA2561025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9
SHA51262c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20
-
Filesize
300KB
MD5784667bb96ccb30c4cf44f2c5f493769
SHA128185165ab4dbbb4a139ae1af0bb6934ebe05c04
SHA2561025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9
SHA51262c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20
-
Filesize
339KB
MD514d9834611ad581afcfea061652ff6cb
SHA1802f964d0be7858eb2f1e7c6fcda03501fd1b71c
SHA256e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60
SHA512cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5
-
Filesize
339KB
MD514d9834611ad581afcfea061652ff6cb
SHA1802f964d0be7858eb2f1e7c6fcda03501fd1b71c
SHA256e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60
SHA512cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5
-
Filesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74