Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 10:16
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe
-
Size
522KB
-
MD5
7ffb7d07a7b44f4e8fe2c5b5bd363be3
-
SHA1
8deae8adf73eb1b255c90fdd589411afaf0b6dda
-
SHA256
079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e
-
SHA512
e25abc8ae8540afa4754acb049d4783d8d0d9c8de0c3a1c3b06dacd87cea7939c0e550273ce1ef54e03dd310089c93b4d82cbd68d0fdefe9969b0c7f5f8f90b8
-
SSDEEP
12288:7Mr1y90UwA23J5NiPtd5OESdGGQ1PpHH85vAtwsr0+u4Z:yyZ23J5Ne2kj1hc5vSwD+3
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2160-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2160-15-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2160-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2160-18-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2320-22-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5Me31kR.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation 5Me31kR.exe -
Executes dropped EXE 4 IoCs
Processes:
FG0By08.exe3QD630yn.exe4bo9Km3.exe5Me31kR.exepid Process 2812 FG0By08.exe 1600 3QD630yn.exe 1176 4bo9Km3.exe 2804 5Me31kR.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
FG0By08.exeNEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" FG0By08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3QD630yn.exe4bo9Km3.exedescription pid Process procid_target PID 1600 set thread context of 2160 1600 3QD630yn.exe 92 PID 1176 set thread context of 2320 1176 4bo9Km3.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 908 2160 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exeFG0By08.exe3QD630yn.exe4bo9Km3.exe5Me31kR.exedescription pid Process procid_target PID 2104 wrote to memory of 2812 2104 NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe 88 PID 2104 wrote to memory of 2812 2104 NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe 88 PID 2104 wrote to memory of 2812 2104 NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe 88 PID 2812 wrote to memory of 1600 2812 FG0By08.exe 89 PID 2812 wrote to memory of 1600 2812 FG0By08.exe 89 PID 2812 wrote to memory of 1600 2812 FG0By08.exe 89 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 1600 wrote to memory of 2160 1600 3QD630yn.exe 92 PID 2812 wrote to memory of 1176 2812 FG0By08.exe 94 PID 2812 wrote to memory of 1176 2812 FG0By08.exe 94 PID 2812 wrote to memory of 1176 2812 FG0By08.exe 94 PID 1176 wrote to memory of 948 1176 4bo9Km3.exe 99 PID 1176 wrote to memory of 948 1176 4bo9Km3.exe 99 PID 1176 wrote to memory of 948 1176 4bo9Km3.exe 99 PID 1176 wrote to memory of 2320 1176 4bo9Km3.exe 101 PID 1176 wrote to memory of 2320 1176 4bo9Km3.exe 101 PID 1176 wrote to memory of 2320 1176 4bo9Km3.exe 101 PID 1176 wrote to memory of 2320 1176 4bo9Km3.exe 101 PID 1176 wrote to memory of 2320 1176 4bo9Km3.exe 101 PID 1176 wrote to memory of 2320 1176 4bo9Km3.exe 101 PID 1176 wrote to memory of 2320 1176 4bo9Km3.exe 101 PID 1176 wrote to memory of 2320 1176 4bo9Km3.exe 101 PID 2104 wrote to memory of 2804 2104 NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe 102 PID 2104 wrote to memory of 2804 2104 NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe 102 PID 2104 wrote to memory of 2804 2104 NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe 102 PID 2804 wrote to memory of 3600 2804 5Me31kR.exe 104 PID 2804 wrote to memory of 3600 2804 5Me31kR.exe 104 PID 2804 wrote to memory of 3600 2804 5Me31kR.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 5405⤵
- Program crash
PID:908
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:948
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2320
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "3⤵PID:3600
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2160 -ip 21601⤵PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD570e6c340b942e52bde1cf614b4f2a359
SHA1be57703cd4e62f02812e80a5f3fbbdc3fd2c35c0
SHA256bfe9bec3d2326c282ee76bab8981774f53d6f4289115ce074451e0e63902c69b
SHA5127dc7b6398cea4b2bc9e89a093908d14f0370ebef385fece52d48be8f41cca589e54defe8bfee5dcc3c93d8f54e63d125e75c41a037321208d92e604703d18aa2
-
Filesize
73KB
MD570e6c340b942e52bde1cf614b4f2a359
SHA1be57703cd4e62f02812e80a5f3fbbdc3fd2c35c0
SHA256bfe9bec3d2326c282ee76bab8981774f53d6f4289115ce074451e0e63902c69b
SHA5127dc7b6398cea4b2bc9e89a093908d14f0370ebef385fece52d48be8f41cca589e54defe8bfee5dcc3c93d8f54e63d125e75c41a037321208d92e604703d18aa2
-
Filesize
400KB
MD5e515d2638efb11ba8c4104b6330f0fa4
SHA15853c58a06b53ce0ebe1cdc769083663c9b680cc
SHA25698a61524c5b3d9f31292e81ab075f1eb9cf4e16fb8c4426133c7fd3e93e9ad95
SHA5127733c7401c3a1a414b67ae8d28b0c6e0a65fdc964be4b252a5bf1721c0a7f2ce9884a31bf6411914789d9f132d0358e187ee9998356154bef0569d2f47ee63a5
-
Filesize
400KB
MD5e515d2638efb11ba8c4104b6330f0fa4
SHA15853c58a06b53ce0ebe1cdc769083663c9b680cc
SHA25698a61524c5b3d9f31292e81ab075f1eb9cf4e16fb8c4426133c7fd3e93e9ad95
SHA5127733c7401c3a1a414b67ae8d28b0c6e0a65fdc964be4b252a5bf1721c0a7f2ce9884a31bf6411914789d9f132d0358e187ee9998356154bef0569d2f47ee63a5
-
Filesize
319KB
MD5db4e565e559352e0d14b439013b589cd
SHA1ec6fae9b38283e877a4fdacb6f0a234e7c869d62
SHA2569dad20945becf3a318fbd9de3a1640e8116b23c25de814d95aa4039156b37a51
SHA5127aa3cf167f5c38a43a15e34687db35f5520377949daeec7a7f9e593395a89a21bce231ddd57bdd82af7c3cfab7a70391ae17dfc9c09af6d2d43aa560b0e55aa2
-
Filesize
319KB
MD5db4e565e559352e0d14b439013b589cd
SHA1ec6fae9b38283e877a4fdacb6f0a234e7c869d62
SHA2569dad20945becf3a318fbd9de3a1640e8116b23c25de814d95aa4039156b37a51
SHA5127aa3cf167f5c38a43a15e34687db35f5520377949daeec7a7f9e593395a89a21bce231ddd57bdd82af7c3cfab7a70391ae17dfc9c09af6d2d43aa560b0e55aa2
-
Filesize
358KB
MD5f6659f637d8488ac7208d5b8e93639d0
SHA137821c29ceb621a9cd8b804bd22c103718ca1b0c
SHA2564d06804d8bf6c7b903f64dd5ea44965eeabea017d17847333bdacb83902a15bd
SHA5127835b55ca65d39719c5a63f1966eaa25e819b2ecc8e0ec7e1ad750e1e432cb06721204d5a0617e237cdd2ad7ae2820a4ff6dce3b74996cf0aabb0d269cc6a080
-
Filesize
358KB
MD5f6659f637d8488ac7208d5b8e93639d0
SHA137821c29ceb621a9cd8b804bd22c103718ca1b0c
SHA2564d06804d8bf6c7b903f64dd5ea44965eeabea017d17847333bdacb83902a15bd
SHA5127835b55ca65d39719c5a63f1966eaa25e819b2ecc8e0ec7e1ad750e1e432cb06721204d5a0617e237cdd2ad7ae2820a4ff6dce3b74996cf0aabb0d269cc6a080
-
Filesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74