Overview

overview

10

Static

static

3

01f1d397ee...7e.exe

windows10-2004-x64

10

061d4b3cae...c3.exe

windows10-2004-x64

10

1510cb1a4f...7d.exe

windows10-2004-x64

10

18c958ac25...40.exe

windows10-2004-x64

10

1ae5f47f1c...e8.exe

windows10-2004-x64

10

27768bc448...de.exe

windows10-2004-x64

10

32de0993bc...1e.exe

windows10-2004-x64

10

4758300458...ca.exe

windows10-2004-x64

10

58fadac014...99.exe

windows10-2004-x64

10

5bcb59af1e...c1.exe

windows10-2004-x64

10

6e55f3939c...05.exe

windows10-2004-x64

10

7974488bc6...15.exe

windows10-2004-x64

10

835316bac6...9f.exe

windows10-2004-x64

10

9e24511e4a...1c.exe

windows10-2004-x64

10

a9634fd1ba...2f.exe

windows10-2004-x64

10

c1f424012a...97.exe

windows10-2004-x64

10

d73983a055...6c.exe

windows10-2004-x64

10

d7acd7c73c...c4.exe

windows10-2004-x64

10

e7a1c6bd3a...74.exe

windows10-2004-x64

10

e9a8b4bb4d...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1f424012a2d01ca458f9aa1aee9cfff75d79a0d7398ed9d13463a386f0c9297.exe

  • Size

    827KB

  • MD5

    bfa4cf5f2fd81a32cb9ef83232c720a5

  • SHA1

    d51afc3ae1d52a7180f052e30b50fbd49041e4db

  • SHA256

    c1f424012a2d01ca458f9aa1aee9cfff75d79a0d7398ed9d13463a386f0c9297

  • SHA512

    d711132e94eadb471557ed27b962e92e32591aea3e22cbd74207c092da2a55307f0482b8ed711033c4b7213f0c420f78d6f0fb84cdb8eeb8ee5da42997fc2f04

  • SSDEEP

    24576:Yy6WNyEwY8oqPgx/7Qf5kGeLUKhO5U1J9CzyfsO:f6uyEP8oqYx/Uf58PCef

Score
10/10
mysticredlinekendoinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kendo

C2

77.91.124.82:19071

Attributes
  • auth_value

    5a22a881561d49941415902859b51f14

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1f424012a2d01ca458f9aa1aee9cfff75d79a0d7398ed9d13463a386f0c9297.exe
    "C:\Users\Admin\AppData\Local\Temp\c1f424012a2d01ca458f9aa1aee9cfff75d79a0d7398ed9d13463a386f0c9297.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2790192.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2790192.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1594632.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1594632.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5892730.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5892730.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3552
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:3180
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
                PID:4320
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 572
                5⤵
                • Program crash
                PID:4336
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7023556.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7023556.exe
              4⤵
              • Executes dropped EXE
              PID:2844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3552 -ip 3552
        1⤵
          PID:3936
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:8
          1⤵
            PID:2644

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2790192.exe
            Filesize

            556KB

            MD5

            ab353ab8395136ce3c214ebd8e8b74e5

            SHA1

            103db4ed2ff9b5296ffae98a797a122a050ffc60

            SHA256

            351faf7ade9423e3056a77dca69892082a8e30ad2389789858fe874f64925256

            SHA512

            352216fdaf6686c402a6979e654a5cda635a1787170c219f6589e33a2eed83a3665e03f1d36f7f1c2971c59ef51c66b779b212a7eaf02b23ab2b1f1934eb5fc2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1594632.exe
            Filesize

            390KB

            MD5

            db43c539d38e0bc63a2849e4415aefee

            SHA1

            749d0e1d77da28ed864525f0e0999af9c9a71a03

            SHA256

            6c88d6864ac21b191dcba056eadae954f32a7e758412250ab70a83e94414a045

            SHA512

            5a9194e554303c9d41c72fc2c7712056d5d68283f7fcd1a0041cfa30621519f8f69baca1b8f39755c9fb111235c234e17c6607c98d71b1294e0918e55f22ad81

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5892730.exe
            Filesize

            364KB

            MD5

            19622df5eda5bd2c71ee8000dee836e6

            SHA1

            d73854203c08104994cdbe9b46b1403df7777624

            SHA256

            56ac3827460e328e4359dd7483371cd550d271776e14708403888130375fd115

            SHA512

            c7cbeb39c4e7c941715455124c102abab12f64f724c6e81ef9fdd5692873c15a18f7684066e11e0a845a40bf6e31898c23f65ec47d74b0aff0464fb53abbd9a5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7023556.exe
            Filesize

            174KB

            MD5

            ae141dfba399b606555b9acacfc8eb94

            SHA1

            7759ea1d7052da3aa2b2efad1badeee9a9e69d96

            SHA256

            096844ac923777fb50381ec3a2be5258af7b1ede272f2af05a789ec6bb173eda

            SHA512

            35a47d6135d7cdb1d069c4d5c8e5f24daf180e7976196220f3cda72e57fa228f74d4784787b241dcff4f1fb911102fc1279a645e65e0ff95af682ee7c38a8bda

            Download Submit

          • memory/2844-32-0x0000000005220000-0x000000000532A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2844-35-0x0000000005330000-0x000000000537C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2844-34-0x00000000051A0000-0x00000000051DC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2844-33-0x0000000005140000-0x0000000005152000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2844-29-0x0000000000670000-0x00000000006A0000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2844-30-0x00000000050D0000-0x00000000050D6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2844-31-0x0000000005730000-0x0000000005D48000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4320-21-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/4320-22-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/4320-23-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/4320-25-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download