Malware Analysis Report

2024-12-08 01:13

Sample ID 231111-ml4pgsdf51
Target NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe
SHA256 5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893

Threat Level: Known bad

The file NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Mystic

Detect Mystic stealer payload

RedLine

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:34

Reported

2023-11-11 10:36

Platform

win10v2004-20231023-en

Max time kernel

139s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe
PID 1684 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe
PID 1684 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe
PID 5072 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe
PID 5072 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe
PID 5072 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe
PID 2068 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5072 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe
PID 5072 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe
PID 5072 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe
PID 4356 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4356 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1684 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe
PID 1684 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe
PID 1684 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe
PID 2772 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.5153f686fa4f3877750b988cbac42c72584c94e70e059a7686dd76adc933e893.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 384 -ip 384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe

MD5 196ca2633c48a24cab009b3d09db90e1
SHA1 ffe55c443af7f0b52bbbf51e50ff415263061964
SHA256 dae87e8e24382c633422a25d66b4c340d4394f80d58cbca4717a6ecd8635df02
SHA512 8aafe0a50145ee5f84058d67e36e1da2d8c175f965b301840c1a6c6889b519c374ccd83258193f04422c2c492732fc721f979aa4b5fc52efc0cc725340f867e5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hT9uB03.exe

MD5 196ca2633c48a24cab009b3d09db90e1
SHA1 ffe55c443af7f0b52bbbf51e50ff415263061964
SHA256 dae87e8e24382c633422a25d66b4c340d4394f80d58cbca4717a6ecd8635df02
SHA512 8aafe0a50145ee5f84058d67e36e1da2d8c175f965b301840c1a6c6889b519c374ccd83258193f04422c2c492732fc721f979aa4b5fc52efc0cc725340f867e5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe

MD5 05651b071f646ee044369bc44a6cadfe
SHA1 14a3acdc1515a190f9d8359d56bd5f2d0d26d757
SHA256 a6251317f374383c57586b0d646230292121dfcd2ee61123d86d2273698b5aff
SHA512 08bd7c9b97755f08d1c465cdd5926626a19b94e39124b3ebf303ab3c2026e0a0cf7990a40cbc8f560c8f886a01ddf32d8c9e13343b7ba5d6fbb45a148f81d846

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yk622Ob.exe

MD5 05651b071f646ee044369bc44a6cadfe
SHA1 14a3acdc1515a190f9d8359d56bd5f2d0d26d757
SHA256 a6251317f374383c57586b0d646230292121dfcd2ee61123d86d2273698b5aff
SHA512 08bd7c9b97755f08d1c465cdd5926626a19b94e39124b3ebf303ab3c2026e0a0cf7990a40cbc8f560c8f886a01ddf32d8c9e13343b7ba5d6fbb45a148f81d846

memory/384-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/384-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/384-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/384-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe

MD5 f9b09a15100a46944fcb2670779b6ba5
SHA1 3d7c56c9983692fb80ae5a5f0eb8405534d5b1eb
SHA256 28e3e9bfb81adf7347ed973c819912738b795b51c063d4ac3c0f96a5d3e11dc6
SHA512 7eb128dcdff5aea61f1de5a694b92656b266b25718c06f5890f67295e518f3ea9a44afdbc918ebcd0e2b6d599c79b7478f0b628e556894a54af38753168a2f7d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4FY1Gv6.exe

MD5 f9b09a15100a46944fcb2670779b6ba5
SHA1 3d7c56c9983692fb80ae5a5f0eb8405534d5b1eb
SHA256 28e3e9bfb81adf7347ed973c819912738b795b51c063d4ac3c0f96a5d3e11dc6
SHA512 7eb128dcdff5aea61f1de5a694b92656b266b25718c06f5890f67295e518f3ea9a44afdbc918ebcd0e2b6d599c79b7478f0b628e556894a54af38753168a2f7d

memory/3648-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe

MD5 fbc6a615aaf9f0c3c52bd6b600becfad
SHA1 caed0d15d6b2e1d8e397e248de7be11619928071
SHA256 2a21eed44fe24310669a96a80023ebbb0242646648804a90614ad558e66193e1
SHA512 a375a58ee31fd3db86eaeb3e1189394d7f70f423bd88fc3396c44f80880a147867a22e4dc743ca666a964354a6f6dda5858907ad58f2a0ec72563660e555103c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Bh58ix.exe

MD5 fbc6a615aaf9f0c3c52bd6b600becfad
SHA1 caed0d15d6b2e1d8e397e248de7be11619928071
SHA256 2a21eed44fe24310669a96a80023ebbb0242646648804a90614ad558e66193e1
SHA512 a375a58ee31fd3db86eaeb3e1189394d7f70f423bd88fc3396c44f80880a147867a22e4dc743ca666a964354a6f6dda5858907ad58f2a0ec72563660e555103c

memory/3648-28-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/3648-30-0x0000000007A80000-0x0000000008024000-memory.dmp

memory/3648-32-0x0000000007570000-0x0000000007602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/3648-33-0x0000000007760000-0x0000000007770000-memory.dmp

memory/3648-38-0x0000000007620000-0x000000000762A000-memory.dmp

memory/3648-39-0x0000000008650000-0x0000000008C68000-memory.dmp

memory/3648-40-0x0000000007970000-0x0000000007A7A000-memory.dmp

memory/3648-41-0x0000000007700000-0x0000000007712000-memory.dmp

memory/3648-42-0x0000000007860000-0x000000000789C000-memory.dmp

memory/3648-43-0x00000000078A0000-0x00000000078EC000-memory.dmp

memory/3648-44-0x0000000073840000-0x0000000073FF0000-memory.dmp

memory/3648-45-0x0000000007760000-0x0000000007770000-memory.dmp