Malware Analysis Report

2024-12-08 01:08

Sample ID 231111-mnfqfadf7x
Target NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe
SHA256 0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7

Threat Level: Known bad

The file NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

Mystic

RedLine

Detect Mystic stealer payload

RedLine payload

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:36

Reported

2023-11-11 10:39

Platform

win10v2004-20231023-en

Max time kernel

140s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe
PID 2024 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe
PID 2024 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe
PID 2244 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe
PID 2244 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe
PID 2244 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe
PID 2240 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2240 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe
PID 2244 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe
PID 2244 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe
PID 4704 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4704 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4704 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4704 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4704 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4704 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4704 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4704 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2024 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe
PID 2024 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe
PID 2024 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe
PID 228 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.0d72f00195531961afb7f8503e4d958638db654537f09a9239c64427bdc0d7a7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2296 -ip 2296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 8.238.178.254:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
RU 5.42.92.51:19057 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe

MD5 e09413d7c011377798d6ff65e555a2df
SHA1 df4dee8c2070ac0ebfaebc134f4776672573d589
SHA256 3f9ae44a76cb3b7f14083f821f6581d302241388b0dbe91f7a7ee8e67bb45a15
SHA512 4228fbb9ac63f897a5637326269b76ba8146a492ebe5f42e8d804c603b2f44aaa7b6bc8bc3456d17a9f020ebd6f84182c82f3bb404e057736329ab260c5932bf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN5Oj25.exe

MD5 e09413d7c011377798d6ff65e555a2df
SHA1 df4dee8c2070ac0ebfaebc134f4776672573d589
SHA256 3f9ae44a76cb3b7f14083f821f6581d302241388b0dbe91f7a7ee8e67bb45a15
SHA512 4228fbb9ac63f897a5637326269b76ba8146a492ebe5f42e8d804c603b2f44aaa7b6bc8bc3456d17a9f020ebd6f84182c82f3bb404e057736329ab260c5932bf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe

MD5 4a868c16482f0ab8800d3f1eff627a9b
SHA1 c4527bdfb9929627534ca2299d858757e243bbe2
SHA256 bda2de9cf44b5c317144c8eef0e229740fda2b537e8c233c1d2117c6942ac3ee
SHA512 cc1cfeb3591ecb3d48783f5710dc0bbbe03273f778cec76ba42eb3194f6f8b84e100f73b8ba4fdab49c1c626ac73006de62d327ec5759c0015e1895456f12f10

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1xd48KX1.exe

MD5 4a868c16482f0ab8800d3f1eff627a9b
SHA1 c4527bdfb9929627534ca2299d858757e243bbe2
SHA256 bda2de9cf44b5c317144c8eef0e229740fda2b537e8c233c1d2117c6942ac3ee
SHA512 cc1cfeb3591ecb3d48783f5710dc0bbbe03273f778cec76ba42eb3194f6f8b84e100f73b8ba4fdab49c1c626ac73006de62d327ec5759c0015e1895456f12f10

memory/2296-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2296-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2296-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2296-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe

MD5 aa5b30ef8e986f9b233400c5f7924667
SHA1 005f7a369fa56c5783bd346c4abca2e07071e7b6
SHA256 9a95829eba3e8339105c40f90d76b506f3c0233b4dbb0d1f568815f0395baa00
SHA512 c80dc9aeb2dc2bcb603bd7e2325fda1ce73dd3d1b055546dadf5b6972126d905db03e4a5d6a595630dd2176a4efe70cd0c77d20960728d37483643d0a298bc03

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vK4661.exe

MD5 aa5b30ef8e986f9b233400c5f7924667
SHA1 005f7a369fa56c5783bd346c4abca2e07071e7b6
SHA256 9a95829eba3e8339105c40f90d76b506f3c0233b4dbb0d1f568815f0395baa00
SHA512 c80dc9aeb2dc2bcb603bd7e2325fda1ce73dd3d1b055546dadf5b6972126d905db03e4a5d6a595630dd2176a4efe70cd0c77d20960728d37483643d0a298bc03

memory/2756-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe

MD5 3adaaa9511a337b19fc152ebef907118
SHA1 c3cc1e58236517c445d7e53386f20bb53bb2c340
SHA256 f1cf682377e954a5bfc2d9bf4f15b00f8b44ed5014220004d84aa5148919abb1
SHA512 3d915e71f0cb9d35d94ca7fcf807081f89a758eb6b9b8f61bcce4ac36ba221ea2409ddc58dc006a1c85e88ec01d12d772e8554520d6fcadbb95ec77d2f365e92

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7UP7FG39.exe

MD5 3adaaa9511a337b19fc152ebef907118
SHA1 c3cc1e58236517c445d7e53386f20bb53bb2c340
SHA256 f1cf682377e954a5bfc2d9bf4f15b00f8b44ed5014220004d84aa5148919abb1
SHA512 3d915e71f0cb9d35d94ca7fcf807081f89a758eb6b9b8f61bcce4ac36ba221ea2409ddc58dc006a1c85e88ec01d12d772e8554520d6fcadbb95ec77d2f365e92

memory/2756-28-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/2756-30-0x00000000082B0000-0x0000000008854000-memory.dmp

memory/2756-31-0x0000000007DA0000-0x0000000007E32000-memory.dmp

memory/2756-33-0x0000000007F30000-0x0000000007F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/2756-38-0x0000000007E60000-0x0000000007E6A000-memory.dmp

memory/2756-39-0x0000000008E80000-0x0000000009498000-memory.dmp

memory/2756-40-0x0000000008140000-0x000000000824A000-memory.dmp

memory/2756-41-0x0000000008050000-0x0000000008062000-memory.dmp

memory/2756-42-0x00000000080B0000-0x00000000080EC000-memory.dmp

memory/2756-43-0x00000000080F0000-0x000000000813C000-memory.dmp

memory/2756-44-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/2756-45-0x0000000007F30000-0x0000000007F40000-memory.dmp