Malware Analysis Report

2024-12-08 01:06

Sample ID 231111-l7b1xsdb9w
Target NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe
SHA256 302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b

Threat Level: Known bad

The file NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:10

Reported

2023-11-11 10:13

Platform

win10v2004-20231023-en

Max time kernel

149s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe
PID 5008 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe
PID 5008 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe
PID 1600 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe
PID 1600 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe
PID 1600 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe
PID 3148 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe
PID 1600 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe
PID 1600 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe
PID 3524 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3524 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5008 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe
PID 5008 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe
PID 5008 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe
PID 3624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.302ceae53a451101d91807b6240d3da3163f40859ccfebc36c77fbc58d3b6e0b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4212 -ip 4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 254.43.238.8.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 194.98.74.40.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe

MD5 e485213cab83173f1edbffa57d6e0beb
SHA1 dc74a2b5408ea773f5bd224ce156ff2b74065f1a
SHA256 d49315ff1808414762e1da9e0a80130180e7998d23ca9aef748b3ce5e26c2dc0
SHA512 16b21ea0de97fd70d09b229fa0c2fc02ff7ab013896ac5acdb0d56b34b35aa917b326332be09768e3bdfb378e2557347e444a436e36d67e166f89b5ee482cf57

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oV2xo28.exe

MD5 e485213cab83173f1edbffa57d6e0beb
SHA1 dc74a2b5408ea773f5bd224ce156ff2b74065f1a
SHA256 d49315ff1808414762e1da9e0a80130180e7998d23ca9aef748b3ce5e26c2dc0
SHA512 16b21ea0de97fd70d09b229fa0c2fc02ff7ab013896ac5acdb0d56b34b35aa917b326332be09768e3bdfb378e2557347e444a436e36d67e166f89b5ee482cf57

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe

MD5 936c5f7efa58552148f870c1e1334b71
SHA1 705d2bdc7597f4002c5a9960987c9c23bc73d0be
SHA256 2a21b15d158a40961b5cd5219b438e22cde589e5e6e65a8330136b4e467095ba
SHA512 32bfc1ee5642fe1921ca1ed500c6c9bab4913e198ffa5f81730d30280fc3f46f1fe1a206f66e8cf91622184a7a35626cad71ca0788143c0693118cddf31319c3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qI33Wy0.exe

MD5 936c5f7efa58552148f870c1e1334b71
SHA1 705d2bdc7597f4002c5a9960987c9c23bc73d0be
SHA256 2a21b15d158a40961b5cd5219b438e22cde589e5e6e65a8330136b4e467095ba
SHA512 32bfc1ee5642fe1921ca1ed500c6c9bab4913e198ffa5f81730d30280fc3f46f1fe1a206f66e8cf91622184a7a35626cad71ca0788143c0693118cddf31319c3

memory/4212-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4212-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4212-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4212-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe

MD5 13dbc7d75a2f88028a861c7b8ecf8eb8
SHA1 43c5c152b3c6d9dcbb2f2c2467344764c779fefa
SHA256 41ecc89cd1021f9b465180be09e3451f97d48c1143b2c30ff6c5c8e371953e33
SHA512 aee7eec3e1297a22ab10ec19d17375e32f8bcb6bdebe23fdd434f6e5c4baf94d53dfecdfae68b2ef46afe73c89fb5fec911609096360f0051878c62746a7c751

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eq0513.exe

MD5 13dbc7d75a2f88028a861c7b8ecf8eb8
SHA1 43c5c152b3c6d9dcbb2f2c2467344764c779fefa
SHA256 41ecc89cd1021f9b465180be09e3451f97d48c1143b2c30ff6c5c8e371953e33
SHA512 aee7eec3e1297a22ab10ec19d17375e32f8bcb6bdebe23fdd434f6e5c4baf94d53dfecdfae68b2ef46afe73c89fb5fec911609096360f0051878c62746a7c751

memory/4796-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe

MD5 15ac74d2298e67d5a1f0cf50ef8650a4
SHA1 6e61715c878aeec8aa0b0692f22f9ba3064fc2e9
SHA256 bc7a068051cf9ab007ddcb98eb2320845cefe46a309d8140c1f07abbfda1d6ba
SHA512 861ed40b268db58d0793a0e2f93f183616b7b9388ebd84d93733ba17eb02ef79be6240a1fca8b4eed3f88baf0035548d26ccd776fa275be8c8769f6435fd0cc3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7rk4Jv05.exe

MD5 15ac74d2298e67d5a1f0cf50ef8650a4
SHA1 6e61715c878aeec8aa0b0692f22f9ba3064fc2e9
SHA256 bc7a068051cf9ab007ddcb98eb2320845cefe46a309d8140c1f07abbfda1d6ba
SHA512 861ed40b268db58d0793a0e2f93f183616b7b9388ebd84d93733ba17eb02ef79be6240a1fca8b4eed3f88baf0035548d26ccd776fa275be8c8769f6435fd0cc3

memory/4796-28-0x0000000074230000-0x00000000749E0000-memory.dmp

memory/4796-30-0x0000000008350000-0x00000000088F4000-memory.dmp

memory/4796-31-0x0000000007E40000-0x0000000007ED2000-memory.dmp

memory/4796-33-0x0000000007FB0000-0x0000000007FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/4796-38-0x0000000007EF0000-0x0000000007EFA000-memory.dmp

memory/4796-39-0x0000000008F20000-0x0000000009538000-memory.dmp

memory/4796-40-0x0000000008900000-0x0000000008A0A000-memory.dmp

memory/4796-41-0x00000000080D0000-0x00000000080E2000-memory.dmp

memory/4796-42-0x0000000008160000-0x000000000819C000-memory.dmp

memory/4796-43-0x00000000080F0000-0x000000000813C000-memory.dmp

memory/4796-44-0x0000000074230000-0x00000000749E0000-memory.dmp

memory/4796-45-0x0000000007FB0000-0x0000000007FC0000-memory.dmp