Overview
overview
10Static
static
30b4bb67302...ca.exe
windows10-2004-x64
910f472a1b5...37.exe
windows10-2004-x64
101208df4133...ab.exe
windows10-2004-x64
1022c8884d0e...34.exe
windows10-2004-x64
10277f52adcf...94.exe
windows10-2004-x64
103a484bb7d4...29.exe
windows10-2004-x64
103bdb06aad8...f3.exe
windows7-x64
103bdb06aad8...f3.exe
windows10-2004-x64
103d03f2fde9...00.exe
windows10-2004-x64
1040fbde6d35...71.exe
windows10-2004-x64
1053b6f1fa7f...02.exe
windows7-x64
1053b6f1fa7f...02.exe
windows10-2004-x64
106286d393c9...52.exe
windows7-x64
36286d393c9...52.exe
windows10-2004-x64
1066b71ef5ba...21.exe
windows10-2004-x64
107c73d83c0a...75.exe
windows10-2004-x64
10bccb41d4cd...17.exe
windows10-2004-x64
10c1c526ed2a...52.exe
windows10-2004-x64
10c726b1e0ec...ab.exe
windows10-2004-x64
10c8c3182273...54.exe
windows10-2004-x64
10d1e8dbd667...dd.exe
windows10-2004-x64
10d4fbce6f6a...86.exe
windows7-x64
3d4fbce6f6a...86.exe
windows10-2004-x64
10d7873c75af...a3.exe
windows10-2004-x64
10e25842dbe6...9e.exe
windows10-2004-x64
10fa1fbbcbd6...cf.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 15:27
Static task
static1
Behavioral task
behavioral1
Sample
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1208df413315575653953f79f71da4afa0f3816339cca881a3bd12be0cc7f0ab.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
22c8884d0e33db7ed2cd497936f31b5efeaa43a037af2f4c61a1a768919a6334.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
3a484bb7d4882d8f4ab5dcb7c60a4d1397a642611888b68c5e13702926794729.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3bdb06aad8f213ba8c98a80c76648a19cb074038ed82c6e1c890c4181bbd59f3.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
3bdb06aad8f213ba8c98a80c76648a19cb074038ed82c6e1c890c4181bbd59f3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
3d03f2fde9b9bf8b3069d0b3bdf2625973d4f23daa92673be4185d9c0d5f2500.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
6286d393c93044fd5b8363ccad5324fadfde3e3d9b340ec908941eab3fe90652.exe
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
6286d393c93044fd5b8363ccad5324fadfde3e3d9b340ec908941eab3fe90652.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
66b71ef5ba881cda863dc50bab8ede20c8bdff7c699aa7b767f476f2b83eb421.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
7c73d83c0a0062c5cead0597dac9f90beac93ae125536330571cadd52acefe75.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
d1e8dbd66731cd0a95e444d0fda9ebdc32fdc49845c43907cd292619ac4e88dd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
d4fbce6f6a714d781d28b578580461d8811477b0156700a58b25cdce361c4186.exe
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
d4fbce6f6a714d781d28b578580461d8811477b0156700a58b25cdce361c4186.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral24
Sample
d7873c75af8bf0f44eedb5171fcab5b70d157578f4a43aff8aaadb23058cb1a3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
e25842dbe6ab8469f81bd821ab70c2818962c7a681f45dfcd09f741409b2bb9e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral26
Sample
fa1fbbcbd6fb540be61aeb0eb89533d4e8d0fb64c2d0bcdd3f9263ff954a2acf.exe
Resource
win10v2004-20240508-en
General
-
Target
c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe
-
Size
476KB
-
MD5
e8caa8893f50e0966996c562c5eb98c6
-
SHA1
c40d0c633b13045071520280d46f4e46bb13585b
-
SHA256
c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52
-
SHA512
a046db8a5d6517a1666128eec70ccf1d1a7e43d3a82b1a611a0682098c13be1f2f4a95eda33b5a5458c963cac460d684e7fad34404b23fbc4243b37b788e55df
-
SSDEEP
12288:GMr+y90sHo/b58xomWqrWmDmuKRiEXYp7FMkCeHQYbuQCvZReT:kyXHk58xosWgmuKcEAFXHHQ2WG
Malware Config
Extracted
amadey
3.87
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
gena
77.91.124.82:19071
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral18/files/0x000700000002343b-24.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral18/files/0x0007000000023438-27.dat family_redline behavioral18/memory/2200-29-0x0000000000D20000-0x0000000000D50000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation saves.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation l5816787.exe -
Executes dropped EXE 8 IoCs
pid Process 4196 y8006777.exe 1636 l5816787.exe 3372 saves.exe 1864 m2271043.exe 2200 n0530273.exe 5052 saves.exe 4928 saves.exe 4160 saves.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8006777.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 216 schtasks.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1772 wrote to memory of 4196 1772 c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe 82 PID 1772 wrote to memory of 4196 1772 c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe 82 PID 1772 wrote to memory of 4196 1772 c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe 82 PID 4196 wrote to memory of 1636 4196 y8006777.exe 83 PID 4196 wrote to memory of 1636 4196 y8006777.exe 83 PID 4196 wrote to memory of 1636 4196 y8006777.exe 83 PID 1636 wrote to memory of 3372 1636 l5816787.exe 84 PID 1636 wrote to memory of 3372 1636 l5816787.exe 84 PID 1636 wrote to memory of 3372 1636 l5816787.exe 84 PID 4196 wrote to memory of 1864 4196 y8006777.exe 85 PID 4196 wrote to memory of 1864 4196 y8006777.exe 85 PID 4196 wrote to memory of 1864 4196 y8006777.exe 85 PID 1772 wrote to memory of 2200 1772 c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe 86 PID 1772 wrote to memory of 2200 1772 c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe 86 PID 1772 wrote to memory of 2200 1772 c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe 86 PID 3372 wrote to memory of 216 3372 saves.exe 87 PID 3372 wrote to memory of 216 3372 saves.exe 87 PID 3372 wrote to memory of 216 3372 saves.exe 87 PID 3372 wrote to memory of 3720 3372 saves.exe 89 PID 3372 wrote to memory of 3720 3372 saves.exe 89 PID 3372 wrote to memory of 3720 3372 saves.exe 89 PID 3720 wrote to memory of 4512 3720 cmd.exe 92 PID 3720 wrote to memory of 4512 3720 cmd.exe 92 PID 3720 wrote to memory of 4512 3720 cmd.exe 92 PID 3720 wrote to memory of 3220 3720 cmd.exe 93 PID 3720 wrote to memory of 3220 3720 cmd.exe 93 PID 3720 wrote to memory of 3220 3720 cmd.exe 93 PID 3720 wrote to memory of 1148 3720 cmd.exe 94 PID 3720 wrote to memory of 1148 3720 cmd.exe 94 PID 3720 wrote to memory of 1148 3720 cmd.exe 94 PID 3720 wrote to memory of 4024 3720 cmd.exe 95 PID 3720 wrote to memory of 4024 3720 cmd.exe 95 PID 3720 wrote to memory of 4024 3720 cmd.exe 95 PID 3720 wrote to memory of 3976 3720 cmd.exe 96 PID 3720 wrote to memory of 3976 3720 cmd.exe 96 PID 3720 wrote to memory of 3976 3720 cmd.exe 96 PID 3720 wrote to memory of 1664 3720 cmd.exe 97 PID 3720 wrote to memory of 1664 3720 cmd.exe 97 PID 3720 wrote to memory of 1664 3720 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe"C:\Users\Admin\AppData\Local\Temp\c1c526ed2ab259f0f169f9f6ea8e5765aeff3889749ee6e4c140d24a06cd2f52.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8006777.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8006777.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5816787.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5816787.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F5⤵
- Creates scheduled task(s)
PID:216
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4512
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"6⤵PID:3220
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E6⤵PID:1148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4024
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"6⤵PID:3976
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E6⤵PID:1664
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2271043.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2271043.exe3⤵
- Executes dropped EXE
PID:1864
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0530273.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0530273.exe2⤵
- Executes dropped EXE
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:5052
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4928
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD567b679007895ad5221a7c3e8b781b54e
SHA1ed770869525a7c514da0ebcaceae1506ae48c7d8
SHA256221e2f07e80ea945ac366c584213d9b66f16c15d47697ca949591f8670902bcc
SHA51278608de582e18cf006d9ae1163ac8d6edcbfe8180fbb5177148337ad17f37ff1f2b099859a3da7d70e905ee988fd1ba7e43ddee6c08396b99e9e6f11442463da
-
Filesize
320KB
MD5c7c86ccb7a8447c0fc280c1677d5bdfc
SHA147c05e0511f3d29afe982bf266cb420cc85cb0fb
SHA256c69d581e2c9751820b591c60023bbffd16aa66ad26d0c76b20574cdac2cc7be2
SHA5125015e11b3d4857a07cfd27d5f176721b0eeede05e675ff6ffb2546126853164f580bedcc847d9ceaf9a9916478a8c41355015c2c2764124b7e47dd2521ab13e3
-
Filesize
335KB
MD56d6b96a92544faf72eeafb12f8b03320
SHA13d1095a129d9e65ee3c4593a37df5fbde1a9c9ff
SHA256773f907d2c472a0f71c5fec49edda17b3d54b533c1f5dfd76e19a817ee20afd6
SHA512cce8e9c1e27ddd2317293980e63cf3bd0e4355250dc663068ac799377d26818c01840fc38fecb041becc50225362ac00e10477eec99be2bfafda428074284282
-
Filesize
141KB
MD5e20a8d99c2fa4dab57a98936fe6b3cd3
SHA1b9dcbdc93213bf15c407bb1f017eeb984c3670ca
SHA256b619ed8c3f069c9cf47548a4eeeb5ab2c20c78a96c6ad27ca0d6e869a115eefe
SHA5125b749c3fd1cbee7a630927fc95380dd237ef82dac5959f76a52b88069d1bce5145950903177103a396aa7f1f0a57f79536410cadb2b4fe403313bcc41215854f