Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 21:25
Static task
static1
Behavioral task
behavioral1
Sample
WEXTRACT.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
WEXTRACT.exe
Resource
win10v2004-20231222-en
General
-
Target
WEXTRACT.exe
-
Size
1.4MB
-
MD5
d9dce3b43103ba7c9c7993a1a4f5070b
-
SHA1
0c6b82c436aff245a1c3a5bab3947de41b52744c
-
SHA256
7f0325d4217054cdab8d35ac1adb47ba8ea7e2ec01b7dda452e65d0dc742dc2f
-
SHA512
c12a4a6ffedf54149ec732dbc915e12845ee82874c4b248b8ce3131b912e96ae3c5ea981b50905c99f7f34539f6f499754a8fc8c3f93a4a07bb19f572d6e98e8
-
SSDEEP
24576:2y4AfNrEEEY3Uk8I7ZLKySp0Hu4dWMnYYDWSiJzqMtx15T/T8PwLyxC+:F4AfhNUk8IFLKySpggxJNx15R
Malware Config
Extracted
amadey
3.87
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
jang
77.91.124.82:19071
-
auth_value
662102010afcbe9e22b13116b1c1a088
Signatures
-
Detect Mystic stealer payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4012392.exe mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0933183.exe family_redline behavioral2/memory/2760-43-0x0000000000E00000-0x0000000000E30000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
saves.exel9706125.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation saves.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation l9706125.exe -
Executes dropped EXE 9 IoCs
Processes:
y5573007.exey0320571.exey3397747.exel9706125.exesaves.exem4012392.exen0933183.exesaves.exesaves.exepid process 540 y5573007.exe 2372 y0320571.exe 4872 y3397747.exe 4620 l9706125.exe 2940 saves.exe 3224 m4012392.exe 2760 n0933183.exe 4460 saves.exe 4416 saves.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
y3397747.exeWEXTRACT.exey5573007.exey0320571.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y3397747.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" WEXTRACT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y5573007.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y0320571.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
WEXTRACT.exey5573007.exey0320571.exey3397747.exel9706125.exesaves.execmd.exedescription pid process target process PID 4288 wrote to memory of 540 4288 WEXTRACT.exe y5573007.exe PID 4288 wrote to memory of 540 4288 WEXTRACT.exe y5573007.exe PID 4288 wrote to memory of 540 4288 WEXTRACT.exe y5573007.exe PID 540 wrote to memory of 2372 540 y5573007.exe y0320571.exe PID 540 wrote to memory of 2372 540 y5573007.exe y0320571.exe PID 540 wrote to memory of 2372 540 y5573007.exe y0320571.exe PID 2372 wrote to memory of 4872 2372 y0320571.exe y3397747.exe PID 2372 wrote to memory of 4872 2372 y0320571.exe y3397747.exe PID 2372 wrote to memory of 4872 2372 y0320571.exe y3397747.exe PID 4872 wrote to memory of 4620 4872 y3397747.exe l9706125.exe PID 4872 wrote to memory of 4620 4872 y3397747.exe l9706125.exe PID 4872 wrote to memory of 4620 4872 y3397747.exe l9706125.exe PID 4620 wrote to memory of 2940 4620 l9706125.exe saves.exe PID 4620 wrote to memory of 2940 4620 l9706125.exe saves.exe PID 4620 wrote to memory of 2940 4620 l9706125.exe saves.exe PID 4872 wrote to memory of 3224 4872 y3397747.exe m4012392.exe PID 4872 wrote to memory of 3224 4872 y3397747.exe m4012392.exe PID 4872 wrote to memory of 3224 4872 y3397747.exe m4012392.exe PID 2372 wrote to memory of 2760 2372 y0320571.exe n0933183.exe PID 2372 wrote to memory of 2760 2372 y0320571.exe n0933183.exe PID 2372 wrote to memory of 2760 2372 y0320571.exe n0933183.exe PID 2940 wrote to memory of 2936 2940 saves.exe schtasks.exe PID 2940 wrote to memory of 2936 2940 saves.exe schtasks.exe PID 2940 wrote to memory of 2936 2940 saves.exe schtasks.exe PID 2940 wrote to memory of 3084 2940 saves.exe cmd.exe PID 2940 wrote to memory of 3084 2940 saves.exe cmd.exe PID 2940 wrote to memory of 3084 2940 saves.exe cmd.exe PID 3084 wrote to memory of 3984 3084 cmd.exe cmd.exe PID 3084 wrote to memory of 3984 3084 cmd.exe cmd.exe PID 3084 wrote to memory of 3984 3084 cmd.exe cmd.exe PID 3084 wrote to memory of 2540 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 2540 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 2540 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 1136 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 1136 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 1136 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 4184 3084 cmd.exe cmd.exe PID 3084 wrote to memory of 4184 3084 cmd.exe cmd.exe PID 3084 wrote to memory of 4184 3084 cmd.exe cmd.exe PID 3084 wrote to memory of 1384 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 1384 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 1384 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 4664 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 4664 3084 cmd.exe cacls.exe PID 3084 wrote to memory of 4664 3084 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5573007.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5573007.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0320571.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0320571.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3397747.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3397747.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l9706125.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l9706125.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:2936
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3984
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:2540
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:1136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4184
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:1384
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:4664
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4012392.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4012392.exe5⤵
- Executes dropped EXE
PID:3224
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0933183.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0933183.exe4⤵
- Executes dropped EXE
PID:2760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4460
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51dab5b16c54630ab6301e4862f8df0e0
SHA156cbaa192dcdf768cf27651a6772f6aee68091e6
SHA2561877311823db6ba59449f0d4198c863b355270a0b939c3e2e3187007cfd1a78d
SHA51242f85dc712579577ff04c7bc54cf5c384058610e71bc89e6c282302c11be6d8ef8c004bf47c715f7e2999bd953e554f44abe74f2142fd97dccb9e4f2b458feea
-
Filesize
475KB
MD5ba1c85e520d415fddd1417ffcd74b0f6
SHA1a41da3bd4f2f742910ad2a728bc36f2947b0e82d
SHA2567d4931e51585d1e364bfb34f1afb1cd05f1502ea152b9340916576bf0f5d5dc6
SHA5125f00f855b08c85e7c82e7ae4b37a9e7f2692afb09080154a2b20a55d1422c44909084c0e539d854ac256aa7b97facce1df3892ba86c85b0775e990103d913151
-
Filesize
174KB
MD52e47ffa00d8f4df0f9c9486bc478fcba
SHA1ff133754d1851198ba550854fecc5a3463db0065
SHA256534653d922fc4d6f4967befbbf83af8ddfa3982e3bca29b9274f0370945f7fb7
SHA512da6115615b18432e373d09470769ea97bda084df573e751ff430dbada63736595aea8f943467e1bec91209bb37982bc296b7ff5c2dea9a2d207ea3242136eaab
-
Filesize
319KB
MD5adfb99d9e67648cedbf04b6f906bf667
SHA124c961b4c022701e1d426f9974255126b2ce1d09
SHA2566f83c9db7d351f52f43214ecc83c2b188052ab0677a9368c91265b95759f7c38
SHA51295010961110624767b2ff02914e02a433ae8ff5a2935d860caf2ee2f6c20982bb2fb5ec493bda608511504e89ed8e9ff39d2abff03ea83c50927bae4263107e1
-
Filesize
329KB
MD52d4e41efd3db85a992d313e56cb51345
SHA1db3dea73b3e08d98da7697473890c6b74725280e
SHA256b3996d6c396fde63249c938f4207f2172bd56c55eba8984f0ba589ec57924aa9
SHA512ed796e2285516e0955c83119e7490fd4d03fc490ffc5406e5c3c4d427d9a3d4d3dd1e3c523e5ef3851bc0aef79c1aa99b120d2ce21c2244ca33210b20885c7fa
-
Filesize
140KB
MD59ee79745f1bd3aec20c71e60cbe12907
SHA1798d7fdd9bf1c6f6dac8d03091a481251ba55561
SHA2569d02d0be0ac9910c9ff48448f92c0bbe88e3dd18f723d6f2af86195c6e7bd7fe
SHA512af7cb654ad18a76e038ac5cd2a4c3c30a1bee0bef7b32ff15162339fd3b042d40e0f5bcd3b689c1103c393158522b5e108c27b10c65739ae24b04dbf5ffc3a60