Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2023 10:38

General

  • Target

    NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe

  • Size

    511KB

  • MD5

    01a5ea41e03dfbd80da8324510d647e2

  • SHA1

    cc297b0fa9f519a4cc556571d8895ff1f112d86a

  • SHA256

    e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6

  • SHA512

    5fa0d56a8f91fc51c0df4ef66eda2c4912f3910c19b40b7ef08bf30ef3a448aad5148471f7d64790df94e7cc3effa55428733f763049df4df5647ffd70bd11f7

  • SSDEEP

    12288:PMrLy90js7S22f/a4uUwjMaY8TUs2luE+4+wSRMFDP8ecH:gyKyWaYSz2lurUS2lGH

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt6PF36.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt6PF36.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Jd243HO.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Jd243HO.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2404
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2488
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 540
              5⤵
              • Program crash
              PID:4916
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qe0Hq1.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qe0Hq1.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3180
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:3716
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
                PID:3132
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                4⤵
                  PID:3988
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qy62bS.exe
              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qy62bS.exe
              2⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4196
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
                3⤵
                  PID:764
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2488 -ip 2488
              1⤵
                PID:1508

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qy62bS.exe

                Filesize

                73KB

                MD5

                b5d20a2b79b4fdf1719fcb0941afbe85

                SHA1

                676b554010f8970a83094c846e24c63d3e2f4749

                SHA256

                385b4ec9b428d372fca1797de074f35cc3db77ec1c3ddfc1137e8797a9923664

                SHA512

                603dd3807c15f9c9279461e45887523078a482befa4e8fea44ea9cddc07ca327a915b7d96c7e0917695e829355950b458c59ef31521d3ee18ff69e8cb7c7e6a6

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qy62bS.exe

                Filesize

                73KB

                MD5

                b5d20a2b79b4fdf1719fcb0941afbe85

                SHA1

                676b554010f8970a83094c846e24c63d3e2f4749

                SHA256

                385b4ec9b428d372fca1797de074f35cc3db77ec1c3ddfc1137e8797a9923664

                SHA512

                603dd3807c15f9c9279461e45887523078a482befa4e8fea44ea9cddc07ca327a915b7d96c7e0917695e829355950b458c59ef31521d3ee18ff69e8cb7c7e6a6

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt6PF36.exe

                Filesize

                389KB

                MD5

                c37855602e3d6c2ec8c62daaa15db6ad

                SHA1

                a08d12f14e164a3be9e4ad70268b0655988c8778

                SHA256

                eefdaf86eea7ef2e8cc05486fad88232ea92d88d683ed515a5d277a5cf80d72f

                SHA512

                39eb8bac9fe9e2c5c4605e7c75133a7392057e38831cf7f199fc3cff03e1f81850c94721a275ebc3c78e9a09d546f56922e92c3e2689bdd21387eed68061c4b6

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt6PF36.exe

                Filesize

                389KB

                MD5

                c37855602e3d6c2ec8c62daaa15db6ad

                SHA1

                a08d12f14e164a3be9e4ad70268b0655988c8778

                SHA256

                eefdaf86eea7ef2e8cc05486fad88232ea92d88d683ed515a5d277a5cf80d72f

                SHA512

                39eb8bac9fe9e2c5c4605e7c75133a7392057e38831cf7f199fc3cff03e1f81850c94721a275ebc3c78e9a09d546f56922e92c3e2689bdd21387eed68061c4b6

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Jd243HO.exe

                Filesize

                300KB

                MD5

                784667bb96ccb30c4cf44f2c5f493769

                SHA1

                28185165ab4dbbb4a139ae1af0bb6934ebe05c04

                SHA256

                1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

                SHA512

                62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Jd243HO.exe

                Filesize

                300KB

                MD5

                784667bb96ccb30c4cf44f2c5f493769

                SHA1

                28185165ab4dbbb4a139ae1af0bb6934ebe05c04

                SHA256

                1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

                SHA512

                62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qe0Hq1.exe

                Filesize

                339KB

                MD5

                14d9834611ad581afcfea061652ff6cb

                SHA1

                802f964d0be7858eb2f1e7c6fcda03501fd1b71c

                SHA256

                e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

                SHA512

                cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qe0Hq1.exe

                Filesize

                339KB

                MD5

                14d9834611ad581afcfea061652ff6cb

                SHA1

                802f964d0be7858eb2f1e7c6fcda03501fd1b71c

                SHA256

                e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

                SHA512

                cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

              • memory/2488-16-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

              • memory/2488-14-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

              • memory/2488-18-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

              • memory/2488-15-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

              • memory/3988-34-0x0000000007B90000-0x0000000007B9A000-memory.dmp

                Filesize

                40KB

              • memory/3988-28-0x0000000073F90000-0x0000000074740000-memory.dmp

                Filesize

                7.7MB

              • memory/3988-31-0x0000000008090000-0x0000000008634000-memory.dmp

                Filesize

                5.6MB

              • memory/3988-32-0x0000000007BC0000-0x0000000007C52000-memory.dmp

                Filesize

                584KB

              • memory/3988-33-0x0000000007E00000-0x0000000007E10000-memory.dmp

                Filesize

                64KB

              • memory/3988-22-0x0000000000400000-0x000000000043C000-memory.dmp

                Filesize

                240KB

              • memory/3988-35-0x0000000008C60000-0x0000000009278000-memory.dmp

                Filesize

                6.1MB

              • memory/3988-36-0x0000000007F20000-0x000000000802A000-memory.dmp

                Filesize

                1.0MB

              • memory/3988-37-0x0000000007E10000-0x0000000007E22000-memory.dmp

                Filesize

                72KB

              • memory/3988-38-0x0000000007E70000-0x0000000007EAC000-memory.dmp

                Filesize

                240KB

              • memory/3988-39-0x0000000007EB0000-0x0000000007EFC000-memory.dmp

                Filesize

                304KB

              • memory/3988-40-0x0000000073F90000-0x0000000074740000-memory.dmp

                Filesize

                7.7MB

              • memory/3988-41-0x0000000007E00000-0x0000000007E10000-memory.dmp

                Filesize

                64KB