Malware Analysis Report

2024-12-08 01:08

Sample ID 231111-mlbnpsee63
Target NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe
SHA256 7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7

Threat Level: Known bad

The file NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Detect Mystic stealer payload

RedLine

RedLine payload

Mystic

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:32

Reported

2023-11-11 10:35

Platform

win10v2004-20231020-en

Max time kernel

170s

Max time network

188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe
PID 2812 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe
PID 2812 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe
PID 3312 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe
PID 3312 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe
PID 3312 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3312 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe
PID 3312 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe
PID 3312 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2812 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe
PID 2812 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe
PID 2812 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe
PID 2828 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.7cd1c2b48c1658fb8e580af4dc4fd582cbcd5321dad642a131c860735a3a35b7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3872 -ip 3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe

MD5 4afc229309c91fc2e87e1374ce87d1dd
SHA1 556e7a5ce23fadc6096c9157b857750313de5f57
SHA256 52faf6182aac866e5e28bfff28b71a09ceb5b029e41d69b37380133210f94624
SHA512 09a6ea5d1caa835a2f83ba14369b908ddd3001372738856f5a1e7e02e8f0aea7f6afefb94457b3e70ba20ea52beed8b94e8d04a06ac1b243814a9c9554efa7f4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WI3MD51.exe

MD5 4afc229309c91fc2e87e1374ce87d1dd
SHA1 556e7a5ce23fadc6096c9157b857750313de5f57
SHA256 52faf6182aac866e5e28bfff28b71a09ceb5b029e41d69b37380133210f94624
SHA512 09a6ea5d1caa835a2f83ba14369b908ddd3001372738856f5a1e7e02e8f0aea7f6afefb94457b3e70ba20ea52beed8b94e8d04a06ac1b243814a9c9554efa7f4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe

MD5 936c5f7efa58552148f870c1e1334b71
SHA1 705d2bdc7597f4002c5a9960987c9c23bc73d0be
SHA256 2a21b15d158a40961b5cd5219b438e22cde589e5e6e65a8330136b4e467095ba
SHA512 32bfc1ee5642fe1921ca1ed500c6c9bab4913e198ffa5f81730d30280fc3f46f1fe1a206f66e8cf91622184a7a35626cad71ca0788143c0693118cddf31319c3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PX074ui.exe

MD5 936c5f7efa58552148f870c1e1334b71
SHA1 705d2bdc7597f4002c5a9960987c9c23bc73d0be
SHA256 2a21b15d158a40961b5cd5219b438e22cde589e5e6e65a8330136b4e467095ba
SHA512 32bfc1ee5642fe1921ca1ed500c6c9bab4913e198ffa5f81730d30280fc3f46f1fe1a206f66e8cf91622184a7a35626cad71ca0788143c0693118cddf31319c3

memory/3872-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3872-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3872-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3872-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe

MD5 13dbc7d75a2f88028a861c7b8ecf8eb8
SHA1 43c5c152b3c6d9dcbb2f2c2467344764c779fefa
SHA256 41ecc89cd1021f9b465180be09e3451f97d48c1143b2c30ff6c5c8e371953e33
SHA512 aee7eec3e1297a22ab10ec19d17375e32f8bcb6bdebe23fdd434f6e5c4baf94d53dfecdfae68b2ef46afe73c89fb5fec911609096360f0051878c62746a7c751

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Fy5XE1.exe

MD5 13dbc7d75a2f88028a861c7b8ecf8eb8
SHA1 43c5c152b3c6d9dcbb2f2c2467344764c779fefa
SHA256 41ecc89cd1021f9b465180be09e3451f97d48c1143b2c30ff6c5c8e371953e33
SHA512 aee7eec3e1297a22ab10ec19d17375e32f8bcb6bdebe23fdd434f6e5c4baf94d53dfecdfae68b2ef46afe73c89fb5fec911609096360f0051878c62746a7c751

memory/3528-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe

MD5 adf9d8cd82eebe47ff36423dfa285597
SHA1 4ed33e6fc80bdc2373098c2bac1daeb8a2e27546
SHA256 149bddfc2f97d5936ddc5600ad47ee5b56d3191a4344226a36d83bec2a26abc1
SHA512 1deaed00d7954f882816900c6ac3354bbcdaab524efa5bbf48565d6f5d572704ed2f2556fd7986fbe8494fc632ace86fee82bae80e04085504025870567b52a7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Mc37cT.exe

MD5 adf9d8cd82eebe47ff36423dfa285597
SHA1 4ed33e6fc80bdc2373098c2bac1daeb8a2e27546
SHA256 149bddfc2f97d5936ddc5600ad47ee5b56d3191a4344226a36d83bec2a26abc1
SHA512 1deaed00d7954f882816900c6ac3354bbcdaab524efa5bbf48565d6f5d572704ed2f2556fd7986fbe8494fc632ace86fee82bae80e04085504025870567b52a7

memory/3528-28-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/3528-29-0x0000000007A40000-0x0000000007FE4000-memory.dmp

memory/3528-31-0x0000000007530000-0x00000000075C2000-memory.dmp

memory/3528-32-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3528-34-0x0000000007500000-0x000000000750A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/3528-39-0x0000000008610000-0x0000000008C28000-memory.dmp

memory/3528-40-0x0000000007830000-0x000000000793A000-memory.dmp

memory/3528-41-0x0000000007760000-0x0000000007772000-memory.dmp

memory/3528-42-0x00000000077C0000-0x00000000077FC000-memory.dmp

memory/3528-43-0x00000000745E0000-0x0000000074D90000-memory.dmp

memory/3528-44-0x0000000007940000-0x000000000798C000-memory.dmp

memory/3528-45-0x0000000004FD0000-0x0000000004FE0000-memory.dmp