Overview
overview
10Static
static
306f3c929ba...53.exe
windows10-2004-x64
10122d65cff9...20.exe
windows10-2004-x64
101a0bfd97a4...9c.exe
windows10-2004-x64
101a180e9105...fe.exe
windows10-2004-x64
71c5289e7e6...0b.exe
windows10-2004-x64
1032ca200f34...aa.exe
windows10-2004-x64
103aa025ea78...5d.exe
windows10-2004-x64
103bcf19ad48...5c.exe
windows10-2004-x64
106b10f19a8c...42.exe
windows10-2004-x64
108b1c0f6d0e...f8.exe
windows10-2004-x64
109270cb48ef...96.exe
windows10-2004-x64
10982c3849f2...2b.exe
windows10-2004-x64
10a5ef532105...7b.exe
windows10-2004-x64
10a96e6df3c0...de.exe
windows10-2004-x64
10ba6bca4989...71.exe
windows10-2004-x64
10bad97858db...8e.exe
windows10-2004-x64
10bcce7883f8...a7.exe
windows7-x64
10bcce7883f8...a7.exe
windows10-2004-x64
10cfb7a03bea...b3.exe
windows10-2004-x64
10f446c909f1...3f.exe
windows10-2004-x64
10f8f22cd34c...16.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
06f3c929bab6bc6923c8d8bcc94bb40374b50fbcd1c5bb74105608664f303c53.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
1c5289e7e618b13af020062e6a741d58a9f93e862fe8f04fa08d33b6e2ace50b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
32ca200f348780ce8d89e1c2b2a59df856ec7ce7657e7807dc4330e092222baa.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3aa025ea78f4c4f22121974ca9750d5a185b237e08bdbb6226487f9b7182e85d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3bcf19ad48db781a2c873e68aa933f623915c3a94ae76b3b8bb367d1d4b90e5c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
6b10f19a8c69f2455a53b070f335d6251772e99efec94e5ada48b7464cae5a42.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
8b1c0f6d0e624fbcd937c3ccc23b673ab7072ccc0339934effd7d6d64916b2f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
ba6bca4989ecb1792e703ed9fe411faf649a4dcb4d05d319ac2678201fd51871.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
bcce7883f84c054a7e0e31d30fae77ecd28c2dc7149f36958b01440bf0334ea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
bcce7883f84c054a7e0e31d30fae77ecd28c2dc7149f36958b01440bf0334ea7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
f446c909f19842f14d9643227c64f29a129aefa05bfd1800cdf1d9231454083f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916.exe
Resource
win10v2004-20240426-en
General
-
Target
a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe
-
Size
786KB
-
MD5
d97d90418a7726a700763296227eb7cc
-
SHA1
430ecef62ce1eb2830d0e197a94c211d4f94ba8f
-
SHA256
a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b
-
SHA512
9d55808e50e6a79a5534d934bba7de7d337fab4cf4abbb6b5e96e324b9eedf8503e89b4045d43029fea43a417db599abe8335b82c9b94c97eca479174510e6c8
-
SSDEEP
12288:fMrCy905rSmfpxFMSmWGsUKenqO5tD20+6mf1KRpsXZp79yOQxhLY2k0Uy7Z1:hyGdfFMOoDtmf1Krsj0h02k9y1
Malware Config
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral13/files/0x000700000002341a-38.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral13/files/0x0007000000023417-41.dat family_redline behavioral13/memory/3228-43-0x0000000000A90000-0x0000000000AC0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation b9618356.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation saves.exe -
Executes dropped EXE 9 IoCs
pid Process 4680 v2449602.exe 2504 v9512729.exe 2488 v0518184.exe 3976 b9618356.exe 1060 saves.exe 1628 c6017579.exe 3228 d0205995.exe 4364 saves.exe 1312 saves.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v2449602.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v9512729.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v0518184.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3176 schtasks.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4952 wrote to memory of 4680 4952 a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe 83 PID 4952 wrote to memory of 4680 4952 a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe 83 PID 4952 wrote to memory of 4680 4952 a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe 83 PID 4680 wrote to memory of 2504 4680 v2449602.exe 84 PID 4680 wrote to memory of 2504 4680 v2449602.exe 84 PID 4680 wrote to memory of 2504 4680 v2449602.exe 84 PID 2504 wrote to memory of 2488 2504 v9512729.exe 85 PID 2504 wrote to memory of 2488 2504 v9512729.exe 85 PID 2504 wrote to memory of 2488 2504 v9512729.exe 85 PID 2488 wrote to memory of 3976 2488 v0518184.exe 87 PID 2488 wrote to memory of 3976 2488 v0518184.exe 87 PID 2488 wrote to memory of 3976 2488 v0518184.exe 87 PID 3976 wrote to memory of 1060 3976 b9618356.exe 88 PID 3976 wrote to memory of 1060 3976 b9618356.exe 88 PID 3976 wrote to memory of 1060 3976 b9618356.exe 88 PID 2488 wrote to memory of 1628 2488 v0518184.exe 89 PID 2488 wrote to memory of 1628 2488 v0518184.exe 89 PID 2488 wrote to memory of 1628 2488 v0518184.exe 89 PID 2504 wrote to memory of 3228 2504 v9512729.exe 90 PID 2504 wrote to memory of 3228 2504 v9512729.exe 90 PID 2504 wrote to memory of 3228 2504 v9512729.exe 90 PID 1060 wrote to memory of 3176 1060 saves.exe 91 PID 1060 wrote to memory of 3176 1060 saves.exe 91 PID 1060 wrote to memory of 3176 1060 saves.exe 91 PID 1060 wrote to memory of 3148 1060 saves.exe 93 PID 1060 wrote to memory of 3148 1060 saves.exe 93 PID 1060 wrote to memory of 3148 1060 saves.exe 93 PID 3148 wrote to memory of 4396 3148 cmd.exe 95 PID 3148 wrote to memory of 4396 3148 cmd.exe 95 PID 3148 wrote to memory of 4396 3148 cmd.exe 95 PID 3148 wrote to memory of 3520 3148 cmd.exe 96 PID 3148 wrote to memory of 3520 3148 cmd.exe 96 PID 3148 wrote to memory of 3520 3148 cmd.exe 96 PID 3148 wrote to memory of 3684 3148 cmd.exe 97 PID 3148 wrote to memory of 3684 3148 cmd.exe 97 PID 3148 wrote to memory of 3684 3148 cmd.exe 97 PID 3148 wrote to memory of 4432 3148 cmd.exe 98 PID 3148 wrote to memory of 4432 3148 cmd.exe 98 PID 3148 wrote to memory of 4432 3148 cmd.exe 98 PID 3148 wrote to memory of 3600 3148 cmd.exe 99 PID 3148 wrote to memory of 3600 3148 cmd.exe 99 PID 3148 wrote to memory of 3600 3148 cmd.exe 99 PID 3148 wrote to memory of 4280 3148 cmd.exe 100 PID 3148 wrote to memory of 4280 3148 cmd.exe 100 PID 3148 wrote to memory of 4280 3148 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe"C:\Users\Admin\AppData\Local\Temp\a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2449602.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2449602.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9512729.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9512729.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0518184.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0518184.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9618356.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9618356.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:3176
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4396
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:3520
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:3684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4432
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:3600
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:4280
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6017579.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6017579.exe5⤵
- Executes dropped EXE
PID:1628
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0205995.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d0205995.exe4⤵
- Executes dropped EXE
PID:3228
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4364
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:1312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600KB
MD5b824cd2187bf08a072642d6ae625dbe0
SHA18938622c65ff9391f6896e45cc7058df6e9c592c
SHA2565d206528f7bd94d0ba488d757b2d4552d4fa49963fa28a23ef337b2fc6715b9b
SHA512a0ad13dd7e61a6847f694705228abc51f2f6fd7c5d8821b7c753a28a26247473943488c39f95e56a8af93b549a63437d7a4aa957ea7c34f2124e9b78be0b4e91
-
Filesize
476KB
MD583462e01c9768e5e155aadee1a68b9e6
SHA1732785789aabc6328491ad50ca00409a52429d55
SHA2561d0463f348f5bf8267fb314fc6463991d5b044608be09c2576c9b26b1c1b4939
SHA5126c46c76a6da871f0538548ec21d692c04af4fcb9f58652d2d53acfc4437fd385caaf386b4722b4de01d9ac6b819477f2e116b9a3a8389f840160d0c3df8a994c
-
Filesize
174KB
MD50c97f78762555a981d54d7352d32c551
SHA10b34f912a8a864f14ea1def622183c84150d520e
SHA256212392ff2184f8d3599f5d2ff13a69c87e12509f77ebe8b04f1fb032a9756994
SHA512fdf8d1d6d6ef9f5d894be12056a5e6c7d1ed09be91de863c31f18a028b65ac9ceae31f384d5859e4a263d5acd84e77a4d080fce51e09451a4e561c094c30cc74
-
Filesize
320KB
MD568f8e2fbf474f4838427446146dd8ade
SHA177b638f00459905f5180db8740af70837bcf1b0f
SHA256db761e28eba09b3f00771ee2384acbe435ffa5a1e2a9c10d22ce082a6d189e09
SHA512c6da1702d96a8f81175a1286bb27e57617f6cbe264d37f122eb9cae4ab2d65010b16a7896c6f29e8254c262e0b06ee29431bfb6151fc82370d85a698b76b7098
-
Filesize
337KB
MD5205349674151c4627c1d77f90972ad39
SHA16d50fec73492623550dab7ad75c7637090c33bfe
SHA2567c205e45cbe9dc76c5d6cb235c1d065898169c4d5e75a5f9a6b7e22b70a4e9a8
SHA512137e2bac3d4d9054ea35ddcc389ebab10e9e14974135b24e7d49c7a015b0ac5e06c478a1d3c4b96ad5cfe04d7cd8b61625c6e4ef28e36cbef2f4220cbb053896
-
Filesize
142KB
MD5eaafd7b5a4f81809dcd90961ff255e5d
SHA1b75369d5150df03db334804f39c6eb9a483a259e
SHA25641843af416513cbf9186cdcb1c007b9de75246c4bae0631ebcab64bec83be853
SHA51210fe2105bc6d6cc22c1898fa00766aa14b9bf33f4a901f161e30dea1ac5bc1be296c052491d297697980a65e95dd633ff11fb622922377d83fd359dffee0b258