Malware Analysis Report

2024-12-08 01:05

Sample ID 231111-ma536sec53
Target NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe
SHA256 079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e

Threat Level: Known bad

The file NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Detect Mystic stealer payload

Mystic

RedLine payload

RedLine

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:16

Reported

2023-11-11 10:19

Platform

win10v2004-20231020-en

Max time kernel

139s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe
PID 2104 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe
PID 2104 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe
PID 2812 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe
PID 2812 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe
PID 2812 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2812 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe
PID 2812 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe
PID 2812 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe
PID 1176 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1176 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2104 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe
PID 2104 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe
PID 2104 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe
PID 2804 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.079c859fca72aa37af2c901242c2f908d54ab2f0b2856bd700a38eba5962693e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2160 -ip 2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe

MD5 e515d2638efb11ba8c4104b6330f0fa4
SHA1 5853c58a06b53ce0ebe1cdc769083663c9b680cc
SHA256 98a61524c5b3d9f31292e81ab075f1eb9cf4e16fb8c4426133c7fd3e93e9ad95
SHA512 7733c7401c3a1a414b67ae8d28b0c6e0a65fdc964be4b252a5bf1721c0a7f2ce9884a31bf6411914789d9f132d0358e187ee9998356154bef0569d2f47ee63a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FG0By08.exe

MD5 e515d2638efb11ba8c4104b6330f0fa4
SHA1 5853c58a06b53ce0ebe1cdc769083663c9b680cc
SHA256 98a61524c5b3d9f31292e81ab075f1eb9cf4e16fb8c4426133c7fd3e93e9ad95
SHA512 7733c7401c3a1a414b67ae8d28b0c6e0a65fdc964be4b252a5bf1721c0a7f2ce9884a31bf6411914789d9f132d0358e187ee9998356154bef0569d2f47ee63a5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe

MD5 db4e565e559352e0d14b439013b589cd
SHA1 ec6fae9b38283e877a4fdacb6f0a234e7c869d62
SHA256 9dad20945becf3a318fbd9de3a1640e8116b23c25de814d95aa4039156b37a51
SHA512 7aa3cf167f5c38a43a15e34687db35f5520377949daeec7a7f9e593395a89a21bce231ddd57bdd82af7c3cfab7a70391ae17dfc9c09af6d2d43aa560b0e55aa2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3QD630yn.exe

MD5 db4e565e559352e0d14b439013b589cd
SHA1 ec6fae9b38283e877a4fdacb6f0a234e7c869d62
SHA256 9dad20945becf3a318fbd9de3a1640e8116b23c25de814d95aa4039156b37a51
SHA512 7aa3cf167f5c38a43a15e34687db35f5520377949daeec7a7f9e593395a89a21bce231ddd57bdd82af7c3cfab7a70391ae17dfc9c09af6d2d43aa560b0e55aa2

memory/2160-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2160-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2160-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2160-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe

MD5 f6659f637d8488ac7208d5b8e93639d0
SHA1 37821c29ceb621a9cd8b804bd22c103718ca1b0c
SHA256 4d06804d8bf6c7b903f64dd5ea44965eeabea017d17847333bdacb83902a15bd
SHA512 7835b55ca65d39719c5a63f1966eaa25e819b2ecc8e0ec7e1ad750e1e432cb06721204d5a0617e237cdd2ad7ae2820a4ff6dce3b74996cf0aabb0d269cc6a080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4bo9Km3.exe

MD5 f6659f637d8488ac7208d5b8e93639d0
SHA1 37821c29ceb621a9cd8b804bd22c103718ca1b0c
SHA256 4d06804d8bf6c7b903f64dd5ea44965eeabea017d17847333bdacb83902a15bd
SHA512 7835b55ca65d39719c5a63f1966eaa25e819b2ecc8e0ec7e1ad750e1e432cb06721204d5a0617e237cdd2ad7ae2820a4ff6dce3b74996cf0aabb0d269cc6a080

memory/2320-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe

MD5 70e6c340b942e52bde1cf614b4f2a359
SHA1 be57703cd4e62f02812e80a5f3fbbdc3fd2c35c0
SHA256 bfe9bec3d2326c282ee76bab8981774f53d6f4289115ce074451e0e63902c69b
SHA512 7dc7b6398cea4b2bc9e89a093908d14f0370ebef385fece52d48be8f41cca589e54defe8bfee5dcc3c93d8f54e63d125e75c41a037321208d92e604703d18aa2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Me31kR.exe

MD5 70e6c340b942e52bde1cf614b4f2a359
SHA1 be57703cd4e62f02812e80a5f3fbbdc3fd2c35c0
SHA256 bfe9bec3d2326c282ee76bab8981774f53d6f4289115ce074451e0e63902c69b
SHA512 7dc7b6398cea4b2bc9e89a093908d14f0370ebef385fece52d48be8f41cca589e54defe8bfee5dcc3c93d8f54e63d125e75c41a037321208d92e604703d18aa2

memory/2320-28-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/2320-30-0x0000000007CF0000-0x0000000008294000-memory.dmp

memory/2320-31-0x0000000007820000-0x00000000078B2000-memory.dmp

memory/2320-33-0x0000000007960000-0x0000000007970000-memory.dmp

memory/2320-34-0x0000000007930000-0x000000000793A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/2320-39-0x00000000088C0000-0x0000000008ED8000-memory.dmp

memory/2320-40-0x0000000007BD0000-0x0000000007CDA000-memory.dmp

memory/2320-41-0x0000000007B00000-0x0000000007B12000-memory.dmp

memory/2320-42-0x0000000007B60000-0x0000000007B9C000-memory.dmp

memory/2320-43-0x00000000082A0000-0x00000000082EC000-memory.dmp

memory/2320-44-0x0000000073D70000-0x0000000074520000-memory.dmp

memory/2320-45-0x0000000007960000-0x0000000007970000-memory.dmp