Malware Analysis Report

2024-12-08 00:56

Sample ID 231111-nrj3psef21
Target NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe
SHA256 3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb
Tags
mystic redline taiga infostealer persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb

Threat Level: Known bad

The file NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe was found to be: Known bad.

Malicious Activity Summary

mystic redline taiga infostealer persistence stealer

RedLine payload

Detect Mystic stealer payload

Mystic

RedLine

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 11:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 11:37

Reported

2023-11-11 11:53

Platform

win10v2004-20231023-en

Max time kernel

139s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 324 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe
PID 324 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe
PID 324 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe
PID 1344 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe
PID 1344 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe
PID 1344 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe
PID 1344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe
PID 1344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2888 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 324 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe
PID 324 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe
PID 324 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe
PID 5052 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.3d0729e7609e0e5b87fa73c247275dd8f9cd52d2e88c4a4eafe0067cb2fc30eb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4316 -ip 4316

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 540

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
RU 5.42.92.51:19057 tcp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe

MD5 5d8704492d1ef90ee3f574f22c227b76
SHA1 a30e26e1c02478087f23e01c07f51459e521c484
SHA256 2e1b00fa36e304968b4bb1c7e279ca09a2ce6fbc52a9e1f5bcf8fb2358d14e42
SHA512 0451033ea1ab368cfbb2c8ca20d5c687b6f547786b9321119a7793e9f8288c3f51733d2423e6be78b6a8307330c08e83e59875e86ae566d7dd1244433f43d17e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\No9KX25.exe

MD5 5d8704492d1ef90ee3f574f22c227b76
SHA1 a30e26e1c02478087f23e01c07f51459e521c484
SHA256 2e1b00fa36e304968b4bb1c7e279ca09a2ce6fbc52a9e1f5bcf8fb2358d14e42
SHA512 0451033ea1ab368cfbb2c8ca20d5c687b6f547786b9321119a7793e9f8288c3f51733d2423e6be78b6a8307330c08e83e59875e86ae566d7dd1244433f43d17e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe

MD5 e3814d0ddf0ffe091f1b86f28cecfdb9
SHA1 af902e65d3084140b3ea06811a49d272e41117b9
SHA256 e07bef2c15965abf37c60314cb19ba2b7b05086cde27fdac9a7f72d73f9ba060
SHA512 751029eb48ebb1603145018002490da78e3d0fb72b5292effe48de855ba1b0a0d3ecf0dc512cb69aa5a10f58508bd55327e58a86d1633d102cc8bbac32fa518f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ev72Ma5.exe

MD5 e3814d0ddf0ffe091f1b86f28cecfdb9
SHA1 af902e65d3084140b3ea06811a49d272e41117b9
SHA256 e07bef2c15965abf37c60314cb19ba2b7b05086cde27fdac9a7f72d73f9ba060
SHA512 751029eb48ebb1603145018002490da78e3d0fb72b5292effe48de855ba1b0a0d3ecf0dc512cb69aa5a10f58508bd55327e58a86d1633d102cc8bbac32fa518f

memory/4316-14-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4316-15-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4316-16-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4316-18-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe

MD5 98beaa6f7a07ca2ecf028349e75fffda
SHA1 d3fe6b5d6608fec3a86367707bd63d57a5a527c3
SHA256 178f89ab4a360086b8e98f95e4c055aa501a617928f2744dfddf90c84e55648a
SHA512 691ba229d170e78cdb80d04908f3cb4f042b52a89a11415214bb83ff32de1bc48d6932ceb2acdb20a173216e463736e9e822955eedb9f6d722416d7d66b437d6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2As3470.exe

MD5 98beaa6f7a07ca2ecf028349e75fffda
SHA1 d3fe6b5d6608fec3a86367707bd63d57a5a527c3
SHA256 178f89ab4a360086b8e98f95e4c055aa501a617928f2744dfddf90c84e55648a
SHA512 691ba229d170e78cdb80d04908f3cb4f042b52a89a11415214bb83ff32de1bc48d6932ceb2acdb20a173216e463736e9e822955eedb9f6d722416d7d66b437d6

memory/4076-22-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe

MD5 5c5547366820cd0ea845f851288c3f5f
SHA1 3c5b32172aa75b76d8e707370cf1ba5ec46a26ec
SHA256 3f802ec38a7e043ecb2afbaf3598c9749aceae2d027f3c1083dcdb05d728c4d6
SHA512 d89c420e183377c2e1d56360edbf479951c069153da5e1207c12481cbb6ed317858184a65c7532c896b1f6ed7710b55ca48a0dc1acf12100dfd2a59a9f513f8c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ik6nd90.exe

MD5 5c5547366820cd0ea845f851288c3f5f
SHA1 3c5b32172aa75b76d8e707370cf1ba5ec46a26ec
SHA256 3f802ec38a7e043ecb2afbaf3598c9749aceae2d027f3c1083dcdb05d728c4d6
SHA512 d89c420e183377c2e1d56360edbf479951c069153da5e1207c12481cbb6ed317858184a65c7532c896b1f6ed7710b55ca48a0dc1acf12100dfd2a59a9f513f8c

C:\Users\Admin\AppData\Local\Temp\is64.bat

MD5 225edee1d46e0a80610db26b275d72fb
SHA1 ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256 e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA512 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

C:\Users\Admin\AppData\Local\Temp\is64.txt

MD5 a5ea0ad9260b1550a14cc58d2c39b03d
SHA1 f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256 f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA512 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

memory/4076-34-0x0000000073760000-0x0000000073F10000-memory.dmp

memory/4076-35-0x0000000007C80000-0x0000000008224000-memory.dmp

memory/4076-36-0x00000000076D0000-0x0000000007762000-memory.dmp

memory/4076-37-0x00000000077F0000-0x0000000007800000-memory.dmp

memory/4076-38-0x0000000007790000-0x000000000779A000-memory.dmp

memory/4076-39-0x0000000008850000-0x0000000008E68000-memory.dmp

memory/4076-40-0x0000000007AA0000-0x0000000007BAA000-memory.dmp

memory/4076-41-0x0000000007870000-0x0000000007882000-memory.dmp

memory/4076-42-0x00000000079D0000-0x0000000007A0C000-memory.dmp

memory/4076-43-0x0000000007A10000-0x0000000007A5C000-memory.dmp

memory/4076-44-0x0000000073760000-0x0000000073F10000-memory.dmp

memory/4076-45-0x00000000077F0000-0x0000000007800000-memory.dmp