Malware Analysis Report

2024-12-08 01:25

Sample ID 231111-m4kdkaeh87
Target NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe
SHA256 7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c

Threat Level: Known bad

The file NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Detect Mystic stealer payload

Mystic

RedLine

RedLine payload

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 11:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 11:01

Reported

2023-11-11 11:03

Platform

win10v2004-20231020-en

Max time kernel

143s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe
PID 1744 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe
PID 1744 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe
PID 1840 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe
PID 1840 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe
PID 1840 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4288 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1840 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe
PID 1840 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe
PID 1840 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe
PID 4968 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4968 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe
PID 1744 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe
PID 1744 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe
PID 3560 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.7a732aaabaa24bb576386f2c11fa859a8e3094f004b3f8b63d8a3597552dce5c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1508 -ip 1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 udp
N/A 40.79.141.153:443 tcp
US 8.8.8.8:53 udp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe

MD5 6c804b9ee6377bc5f2a6e19d73b9082b
SHA1 124bf498c911fb2508246958398d536bc23d3b36
SHA256 038c906c2664e220a8662e365b45459099c6a9fe59e920f73da401b71ff625d8
SHA512 9a262a62605f046d1f002fe9ff597c5ef27eeefe55723e1a9ec5682b5eda20af1766352a7fc0837beb5965b69df215a32c4bb7ff89411fd2de5dcbab056520f0

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FS2XW27.exe

MD5 6c804b9ee6377bc5f2a6e19d73b9082b
SHA1 124bf498c911fb2508246958398d536bc23d3b36
SHA256 038c906c2664e220a8662e365b45459099c6a9fe59e920f73da401b71ff625d8
SHA512 9a262a62605f046d1f002fe9ff597c5ef27eeefe55723e1a9ec5682b5eda20af1766352a7fc0837beb5965b69df215a32c4bb7ff89411fd2de5dcbab056520f0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe

MD5 8ef9a540c8ddbd048d22795289c47382
SHA1 e69dfc2d0d8aba8ba3d9348c8d7c60176e1440a7
SHA256 a6eb12774bea4be9f4cbf36108423b79832ada6a669954f46a9dc2c1ceec8c11
SHA512 a7ce700eb6faa3d45fef24b5b0ed7d21c6af8e4feb571fac639e36c58751926cf62e321733149a755a4a6223ce37b754d7b6ae7d5e8a2f84a9d5f08606d97c67

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ia978uw.exe

MD5 8ef9a540c8ddbd048d22795289c47382
SHA1 e69dfc2d0d8aba8ba3d9348c8d7c60176e1440a7
SHA256 a6eb12774bea4be9f4cbf36108423b79832ada6a669954f46a9dc2c1ceec8c11
SHA512 a7ce700eb6faa3d45fef24b5b0ed7d21c6af8e4feb571fac639e36c58751926cf62e321733149a755a4a6223ce37b754d7b6ae7d5e8a2f84a9d5f08606d97c67

memory/1508-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1508-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1508-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1508-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe

MD5 40fb4a4c238fe205ab177b72888e9314
SHA1 e5e2ab61c30ed10cffa31e5ac5ab52a6b15789c9
SHA256 24bb3f6324a95d8dcc68d35ea6762d69a3671ffe6d394233c0ead2ebde59724f
SHA512 c54e130bdc7d0327450c2d96a53480a22dead4c96b1a0c9c2c3a7e35cd6dcd72a5f9aac54217e1021b245d2a6f9892802862634de52d80d16745610227f2d123

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ER9jf0.exe

MD5 40fb4a4c238fe205ab177b72888e9314
SHA1 e5e2ab61c30ed10cffa31e5ac5ab52a6b15789c9
SHA256 24bb3f6324a95d8dcc68d35ea6762d69a3671ffe6d394233c0ead2ebde59724f
SHA512 c54e130bdc7d0327450c2d96a53480a22dead4c96b1a0c9c2c3a7e35cd6dcd72a5f9aac54217e1021b245d2a6f9892802862634de52d80d16745610227f2d123

memory/4600-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe

MD5 745c941242dbf80aa35461d35f9e587d
SHA1 a33c6107f568d14b5ce1823739b4be7da1d6dcb4
SHA256 cfb9eeacbe2872f2bfe2c10d6eb9dcccd9e5194f4c647d01dfad2c7c8eda8f26
SHA512 54671a6db31a9aa6e397fc0b9919fc49fc561172b62c46a1e02db4cc075cf7148fcdeff106908b2cda594d82c7f97efad22195aae1f6f4e09f92d0183a92a88e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5lb94sH.exe

MD5 745c941242dbf80aa35461d35f9e587d
SHA1 a33c6107f568d14b5ce1823739b4be7da1d6dcb4
SHA256 cfb9eeacbe2872f2bfe2c10d6eb9dcccd9e5194f4c647d01dfad2c7c8eda8f26
SHA512 54671a6db31a9aa6e397fc0b9919fc49fc561172b62c46a1e02db4cc075cf7148fcdeff106908b2cda594d82c7f97efad22195aae1f6f4e09f92d0183a92a88e

memory/4600-28-0x0000000074060000-0x0000000074810000-memory.dmp

memory/4600-29-0x0000000007DC0000-0x0000000008364000-memory.dmp

memory/4600-31-0x0000000007910000-0x00000000079A2000-memory.dmp

memory/4600-33-0x00000000078F0000-0x0000000007900000-memory.dmp

memory/4600-34-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

memory/4600-39-0x0000000008990000-0x0000000008FA8000-memory.dmp

memory/4600-40-0x0000000007C80000-0x0000000007D8A000-memory.dmp

memory/4600-41-0x0000000007BB0000-0x0000000007BC2000-memory.dmp

memory/4600-42-0x0000000007C10000-0x0000000007C4C000-memory.dmp

memory/4600-43-0x0000000008370000-0x00000000083BC000-memory.dmp

memory/4600-44-0x0000000074060000-0x0000000074810000-memory.dmp

memory/4600-45-0x00000000078F0000-0x0000000007900000-memory.dmp