Analysis
-
max time kernel
149s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 10:10
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe
-
Size
522KB
-
MD5
6f05f96135328d7cb8d213058542edce
-
SHA1
da158e6385688ea97869bd5c2e5cfcbcd6c22840
-
SHA256
302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b
-
SHA512
9d6e169e6c0324d92a7e32602f3752193fda0ea72bb12798fad841b25c8bd82c6178f8591acdff7985f5d71ce259913138923774a7bdeff0ba68a47e3b78c684
-
SSDEEP
12288:zMr3y90+/o/6TVw8LjGI4HmdrtKZsHoUW7n0t+cjFnM:4yJK6/jL4ian0cEM
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/4212-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/4212-15-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/4212-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/4212-18-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4796-22-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7rk4Jv05.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation 7rk4Jv05.exe -
Executes dropped EXE 4 IoCs
Processes:
oV2xo28.exe1qI33Wy0.exe2eq0513.exe7rk4Jv05.exepid Process 1600 oV2xo28.exe 3148 1qI33Wy0.exe 3524 2eq0513.exe 3624 7rk4Jv05.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exeoV2xo28.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" oV2xo28.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1qI33Wy0.exe2eq0513.exedescription pid Process procid_target PID 3148 set thread context of 4212 3148 1qI33Wy0.exe 93 PID 3524 set thread context of 4796 3524 2eq0513.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3948 4212 WerFault.exe 93 -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exeoV2xo28.exe1qI33Wy0.exe2eq0513.exe7rk4Jv05.exedescription pid Process procid_target PID 5008 wrote to memory of 1600 5008 NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe 84 PID 5008 wrote to memory of 1600 5008 NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe 84 PID 5008 wrote to memory of 1600 5008 NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe 84 PID 1600 wrote to memory of 3148 1600 oV2xo28.exe 87 PID 1600 wrote to memory of 3148 1600 oV2xo28.exe 87 PID 1600 wrote to memory of 3148 1600 oV2xo28.exe 87 PID 3148 wrote to memory of 2960 3148 1qI33Wy0.exe 91 PID 3148 wrote to memory of 2960 3148 1qI33Wy0.exe 91 PID 3148 wrote to memory of 2960 3148 1qI33Wy0.exe 91 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 3148 wrote to memory of 4212 3148 1qI33Wy0.exe 93 PID 1600 wrote to memory of 3524 1600 oV2xo28.exe 96 PID 1600 wrote to memory of 3524 1600 oV2xo28.exe 96 PID 1600 wrote to memory of 3524 1600 oV2xo28.exe 96 PID 3524 wrote to memory of 4796 3524 2eq0513.exe 98 PID 3524 wrote to memory of 4796 3524 2eq0513.exe 98 PID 3524 wrote to memory of 4796 3524 2eq0513.exe 98 PID 3524 wrote to memory of 4796 3524 2eq0513.exe 98 PID 3524 wrote to memory of 4796 3524 2eq0513.exe 98 PID 3524 wrote to memory of 4796 3524 2eq0513.exe 98 PID 3524 wrote to memory of 4796 3524 2eq0513.exe 98 PID 3524 wrote to memory of 4796 3524 2eq0513.exe 98 PID 5008 wrote to memory of 3624 5008 NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe 100 PID 5008 wrote to memory of 3624 5008 NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe 100 PID 5008 wrote to memory of 3624 5008 NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe 100 PID 3624 wrote to memory of 1804 3624 7rk4Jv05.exe 101 PID 3624 wrote to memory of 1804 3624 7rk4Jv05.exe 101 PID 3624 wrote to memory of 1804 3624 7rk4Jv05.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2960
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 5405⤵
- Program crash
PID:3948
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4796
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "3⤵PID:1804
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4212 -ip 42121⤵PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD515ac74d2298e67d5a1f0cf50ef8650a4
SHA16e61715c878aeec8aa0b0692f22f9ba3064fc2e9
SHA256bc7a068051cf9ab007ddcb98eb2320845cefe46a309d8140c1f07abbfda1d6ba
SHA512861ed40b268db58d0793a0e2f93f183616b7b9388ebd84d93733ba17eb02ef79be6240a1fca8b4eed3f88baf0035548d26ccd776fa275be8c8769f6435fd0cc3
-
Filesize
73KB
MD515ac74d2298e67d5a1f0cf50ef8650a4
SHA16e61715c878aeec8aa0b0692f22f9ba3064fc2e9
SHA256bc7a068051cf9ab007ddcb98eb2320845cefe46a309d8140c1f07abbfda1d6ba
SHA512861ed40b268db58d0793a0e2f93f183616b7b9388ebd84d93733ba17eb02ef79be6240a1fca8b4eed3f88baf0035548d26ccd776fa275be8c8769f6435fd0cc3
-
Filesize
401KB
MD5e485213cab83173f1edbffa57d6e0beb
SHA1dc74a2b5408ea773f5bd224ce156ff2b74065f1a
SHA256d49315ff1808414762e1da9e0a80130180e7998d23ca9aef748b3ce5e26c2dc0
SHA51216b21ea0de97fd70d09b229fa0c2fc02ff7ab013896ac5acdb0d56b34b35aa917b326332be09768e3bdfb378e2557347e444a436e36d67e166f89b5ee482cf57
-
Filesize
401KB
MD5e485213cab83173f1edbffa57d6e0beb
SHA1dc74a2b5408ea773f5bd224ce156ff2b74065f1a
SHA256d49315ff1808414762e1da9e0a80130180e7998d23ca9aef748b3ce5e26c2dc0
SHA51216b21ea0de97fd70d09b229fa0c2fc02ff7ab013896ac5acdb0d56b34b35aa917b326332be09768e3bdfb378e2557347e444a436e36d67e166f89b5ee482cf57
-
Filesize
319KB
MD5936c5f7efa58552148f870c1e1334b71
SHA1705d2bdc7597f4002c5a9960987c9c23bc73d0be
SHA2562a21b15d158a40961b5cd5219b438e22cde589e5e6e65a8330136b4e467095ba
SHA51232bfc1ee5642fe1921ca1ed500c6c9bab4913e198ffa5f81730d30280fc3f46f1fe1a206f66e8cf91622184a7a35626cad71ca0788143c0693118cddf31319c3
-
Filesize
319KB
MD5936c5f7efa58552148f870c1e1334b71
SHA1705d2bdc7597f4002c5a9960987c9c23bc73d0be
SHA2562a21b15d158a40961b5cd5219b438e22cde589e5e6e65a8330136b4e467095ba
SHA51232bfc1ee5642fe1921ca1ed500c6c9bab4913e198ffa5f81730d30280fc3f46f1fe1a206f66e8cf91622184a7a35626cad71ca0788143c0693118cddf31319c3
-
Filesize
358KB
MD513dbc7d75a2f88028a861c7b8ecf8eb8
SHA143c5c152b3c6d9dcbb2f2c2467344764c779fefa
SHA25641ecc89cd1021f9b465180be09e3451f97d48c1143b2c30ff6c5c8e371953e33
SHA512aee7eec3e1297a22ab10ec19d17375e32f8bcb6bdebe23fdd434f6e5c4baf94d53dfecdfae68b2ef46afe73c89fb5fec911609096360f0051878c62746a7c751
-
Filesize
358KB
MD513dbc7d75a2f88028a861c7b8ecf8eb8
SHA143c5c152b3c6d9dcbb2f2c2467344764c779fefa
SHA25641ecc89cd1021f9b465180be09e3451f97d48c1143b2c30ff6c5c8e371953e33
SHA512aee7eec3e1297a22ab10ec19d17375e32f8bcb6bdebe23fdd434f6e5c4baf94d53dfecdfae68b2ef46afe73c89fb5fec911609096360f0051878c62746a7c751
-
Filesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74