Malware Analysis Report

2024-12-08 01:21

Sample ID 231111-mgw4vaed72
Target NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe
SHA256 db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003

Threat Level: Known bad

The file NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Detect Mystic stealer payload

RedLine

Mystic

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:26

Reported

2023-11-11 10:29

Platform

win10v2004-20231023-en

Max time kernel

138s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe
PID 3408 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe
PID 3408 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe
PID 4516 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe
PID 4516 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe
PID 4516 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4028 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe
PID 4516 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe
PID 4516 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe
PID 5056 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5056 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3408 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe
PID 3408 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe
PID 3408 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe
PID 412 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.db7b03642dd5c82aba44181a5259950c82b933e6d10cd61ce0fac64963ccf003.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4976 -ip 4976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 540

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe

MD5 338d36446bcbb70f0b58064f5de11560
SHA1 27b3ad2e0be12e0f2b04d0c2c9cd4fc4b1565761
SHA256 b28b466e68017d6a0d37e85a75fa28522ef9e7eecf29cd1d8dfd7461eb837c4a
SHA512 e59b8cfadc4e6ee4e2f36ab6808135a32a5f6af9cde14c6409eb94bad78582b99d2cadaf11ce82b933b0fe13cc17e49cf97454d64a8ac7fe6ce4c41f54715832

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ac1XH54.exe

MD5 338d36446bcbb70f0b58064f5de11560
SHA1 27b3ad2e0be12e0f2b04d0c2c9cd4fc4b1565761
SHA256 b28b466e68017d6a0d37e85a75fa28522ef9e7eecf29cd1d8dfd7461eb837c4a
SHA512 e59b8cfadc4e6ee4e2f36ab6808135a32a5f6af9cde14c6409eb94bad78582b99d2cadaf11ce82b933b0fe13cc17e49cf97454d64a8ac7fe6ce4c41f54715832

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe

MD5 afea8784f4793fbbc8fb24dabf312276
SHA1 c4b4f92896eb0d8e45ce6a677f3f72d2801abb86
SHA256 2f8a55664928402de50f217b676308b2336da6a1889d66c0f50320321634f587
SHA512 923be884c5e0da3b718c06f0d1f105c37bc19b698da5fcb97d6e4907f8f3da8b88c870cec74d7409b324aba0bdd3e4b1781cc30aa8ebb41b6aab0e5ba03ac0bd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3aI829jU.exe

MD5 afea8784f4793fbbc8fb24dabf312276
SHA1 c4b4f92896eb0d8e45ce6a677f3f72d2801abb86
SHA256 2f8a55664928402de50f217b676308b2336da6a1889d66c0f50320321634f587
SHA512 923be884c5e0da3b718c06f0d1f105c37bc19b698da5fcb97d6e4907f8f3da8b88c870cec74d7409b324aba0bdd3e4b1781cc30aa8ebb41b6aab0e5ba03ac0bd

memory/4976-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4976-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4976-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4976-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe

MD5 d706b44439184373b314c2f2e1012167
SHA1 36b7487ab876ef2699f2edb0e323c992aa675242
SHA256 61db01590e9ff5ebc08a056ab07fd1d64bd0e843bcfcd86254b4cfeb2038028d
SHA512 28fc774e81733b3989a605384cac88eece80b03c0ef77c02d7b110d2002f353f0dfd8cfdfcb149e3eb210f21a759f67f108b0379b78588ad158fe9c0d9b99b02

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Ev1RU4.exe

MD5 d706b44439184373b314c2f2e1012167
SHA1 36b7487ab876ef2699f2edb0e323c992aa675242
SHA256 61db01590e9ff5ebc08a056ab07fd1d64bd0e843bcfcd86254b4cfeb2038028d
SHA512 28fc774e81733b3989a605384cac88eece80b03c0ef77c02d7b110d2002f353f0dfd8cfdfcb149e3eb210f21a759f67f108b0379b78588ad158fe9c0d9b99b02

memory/3392-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe

MD5 f712eb9cb049fa7d8d33ac233f096ca8
SHA1 08540c5114358e6a721403d1677334b7964c6d90
SHA256 19d0032cc32d89277142590a48be974fd717c86c14ec17afa15341b2df985da8
SHA512 b79892f52bde2ae1fa910d0c120d77f0ba12639cf5260464f9d99e56767d05ea70ac37dc442bf3d71ef019c3c3d98475dfa9b311a3d6f37a5d7c7a2b22ba907c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5HD65Eq.exe

MD5 f712eb9cb049fa7d8d33ac233f096ca8
SHA1 08540c5114358e6a721403d1677334b7964c6d90
SHA256 19d0032cc32d89277142590a48be974fd717c86c14ec17afa15341b2df985da8
SHA512 b79892f52bde2ae1fa910d0c120d77f0ba12639cf5260464f9d99e56767d05ea70ac37dc442bf3d71ef019c3c3d98475dfa9b311a3d6f37a5d7c7a2b22ba907c

memory/3392-28-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3392-30-0x0000000007F60000-0x0000000008504000-memory.dmp

memory/3392-31-0x0000000007A50000-0x0000000007AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

memory/3392-37-0x0000000007A20000-0x0000000007A30000-memory.dmp

memory/3392-38-0x0000000007A10000-0x0000000007A1A000-memory.dmp

memory/3392-39-0x0000000008B30000-0x0000000009148000-memory.dmp

memory/3392-40-0x0000000008510000-0x000000000861A000-memory.dmp

memory/3392-41-0x0000000007DD0000-0x0000000007DE2000-memory.dmp

memory/3392-42-0x0000000007E30000-0x0000000007E6C000-memory.dmp

memory/3392-43-0x0000000007E70000-0x0000000007EBC000-memory.dmp

memory/3392-44-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/3392-45-0x0000000007A20000-0x0000000007A30000-memory.dmp