Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2023 10:38
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe
-
Size
511KB
-
MD5
01a5ea41e03dfbd80da8324510d647e2
-
SHA1
cc297b0fa9f519a4cc556571d8895ff1f112d86a
-
SHA256
e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6
-
SHA512
5fa0d56a8f91fc51c0df4ef66eda2c4912f3910c19b40b7ef08bf30ef3a448aad5148471f7d64790df94e7cc3effa55428733f763049df4df5647ffd70bd11f7
-
SSDEEP
12288:PMrLy90js7S22f/a4uUwjMaY8TUs2luE+4+wSRMFDP8ecH:gyKyWaYSz2lurUS2lGH
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2488-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2488-15-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2488-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/2488-18-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3988-22-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5Qy62bS.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation 5Qy62bS.exe -
Executes dropped EXE 4 IoCs
Processes:
Rt6PF36.exe3Jd243HO.exe4qe0Hq1.exe5Qy62bS.exepid Process 1500 Rt6PF36.exe 2404 3Jd243HO.exe 3180 4qe0Hq1.exe 4196 5Qy62bS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exeRt6PF36.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Rt6PF36.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
3Jd243HO.exe4qe0Hq1.exedescription pid Process procid_target PID 2404 set thread context of 2488 2404 3Jd243HO.exe 97 PID 3180 set thread context of 3988 3180 4qe0Hq1.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4916 2488 WerFault.exe 97 -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exeRt6PF36.exe3Jd243HO.exe4qe0Hq1.exe5Qy62bS.exedescription pid Process procid_target PID 2324 wrote to memory of 1500 2324 NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe 94 PID 2324 wrote to memory of 1500 2324 NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe 94 PID 2324 wrote to memory of 1500 2324 NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe 94 PID 1500 wrote to memory of 2404 1500 Rt6PF36.exe 95 PID 1500 wrote to memory of 2404 1500 Rt6PF36.exe 95 PID 1500 wrote to memory of 2404 1500 Rt6PF36.exe 95 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 2404 wrote to memory of 2488 2404 3Jd243HO.exe 97 PID 1500 wrote to memory of 3180 1500 Rt6PF36.exe 99 PID 1500 wrote to memory of 3180 1500 Rt6PF36.exe 99 PID 1500 wrote to memory of 3180 1500 Rt6PF36.exe 99 PID 3180 wrote to memory of 3716 3180 4qe0Hq1.exe 102 PID 3180 wrote to memory of 3716 3180 4qe0Hq1.exe 102 PID 3180 wrote to memory of 3716 3180 4qe0Hq1.exe 102 PID 3180 wrote to memory of 3132 3180 4qe0Hq1.exe 103 PID 3180 wrote to memory of 3132 3180 4qe0Hq1.exe 103 PID 3180 wrote to memory of 3132 3180 4qe0Hq1.exe 103 PID 3180 wrote to memory of 3988 3180 4qe0Hq1.exe 104 PID 3180 wrote to memory of 3988 3180 4qe0Hq1.exe 104 PID 3180 wrote to memory of 3988 3180 4qe0Hq1.exe 104 PID 3180 wrote to memory of 3988 3180 4qe0Hq1.exe 104 PID 3180 wrote to memory of 3988 3180 4qe0Hq1.exe 104 PID 3180 wrote to memory of 3988 3180 4qe0Hq1.exe 104 PID 3180 wrote to memory of 3988 3180 4qe0Hq1.exe 104 PID 3180 wrote to memory of 3988 3180 4qe0Hq1.exe 104 PID 2324 wrote to memory of 4196 2324 NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe 105 PID 2324 wrote to memory of 4196 2324 NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe 105 PID 2324 wrote to memory of 4196 2324 NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe 105 PID 4196 wrote to memory of 764 4196 5Qy62bS.exe 110 PID 4196 wrote to memory of 764 4196 5Qy62bS.exe 110 PID 4196 wrote to memory of 764 4196 5Qy62bS.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e0f39e5eced84a8d0eb463e781a5c95d48a72e6175de2f861cfec8a0b11891c6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt6PF36.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rt6PF36.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Jd243HO.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Jd243HO.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 5405⤵
- Program crash
PID:4916
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qe0Hq1.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qe0Hq1.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3132
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3988
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qy62bS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qy62bS.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "3⤵PID:764
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2488 -ip 24881⤵PID:1508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5b5d20a2b79b4fdf1719fcb0941afbe85
SHA1676b554010f8970a83094c846e24c63d3e2f4749
SHA256385b4ec9b428d372fca1797de074f35cc3db77ec1c3ddfc1137e8797a9923664
SHA512603dd3807c15f9c9279461e45887523078a482befa4e8fea44ea9cddc07ca327a915b7d96c7e0917695e829355950b458c59ef31521d3ee18ff69e8cb7c7e6a6
-
Filesize
73KB
MD5b5d20a2b79b4fdf1719fcb0941afbe85
SHA1676b554010f8970a83094c846e24c63d3e2f4749
SHA256385b4ec9b428d372fca1797de074f35cc3db77ec1c3ddfc1137e8797a9923664
SHA512603dd3807c15f9c9279461e45887523078a482befa4e8fea44ea9cddc07ca327a915b7d96c7e0917695e829355950b458c59ef31521d3ee18ff69e8cb7c7e6a6
-
Filesize
389KB
MD5c37855602e3d6c2ec8c62daaa15db6ad
SHA1a08d12f14e164a3be9e4ad70268b0655988c8778
SHA256eefdaf86eea7ef2e8cc05486fad88232ea92d88d683ed515a5d277a5cf80d72f
SHA51239eb8bac9fe9e2c5c4605e7c75133a7392057e38831cf7f199fc3cff03e1f81850c94721a275ebc3c78e9a09d546f56922e92c3e2689bdd21387eed68061c4b6
-
Filesize
389KB
MD5c37855602e3d6c2ec8c62daaa15db6ad
SHA1a08d12f14e164a3be9e4ad70268b0655988c8778
SHA256eefdaf86eea7ef2e8cc05486fad88232ea92d88d683ed515a5d277a5cf80d72f
SHA51239eb8bac9fe9e2c5c4605e7c75133a7392057e38831cf7f199fc3cff03e1f81850c94721a275ebc3c78e9a09d546f56922e92c3e2689bdd21387eed68061c4b6
-
Filesize
300KB
MD5784667bb96ccb30c4cf44f2c5f493769
SHA128185165ab4dbbb4a139ae1af0bb6934ebe05c04
SHA2561025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9
SHA51262c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20
-
Filesize
300KB
MD5784667bb96ccb30c4cf44f2c5f493769
SHA128185165ab4dbbb4a139ae1af0bb6934ebe05c04
SHA2561025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9
SHA51262c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20
-
Filesize
339KB
MD514d9834611ad581afcfea061652ff6cb
SHA1802f964d0be7858eb2f1e7c6fcda03501fd1b71c
SHA256e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60
SHA512cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5
-
Filesize
339KB
MD514d9834611ad581afcfea061652ff6cb
SHA1802f964d0be7858eb2f1e7c6fcda03501fd1b71c
SHA256e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60
SHA512cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5