Overview
overview
10Static
static
306f3c929ba...53.exe
windows10-2004-x64
10122d65cff9...20.exe
windows10-2004-x64
101a0bfd97a4...9c.exe
windows10-2004-x64
101a180e9105...fe.exe
windows10-2004-x64
71c5289e7e6...0b.exe
windows10-2004-x64
1032ca200f34...aa.exe
windows10-2004-x64
103aa025ea78...5d.exe
windows10-2004-x64
103bcf19ad48...5c.exe
windows10-2004-x64
106b10f19a8c...42.exe
windows10-2004-x64
108b1c0f6d0e...f8.exe
windows10-2004-x64
109270cb48ef...96.exe
windows10-2004-x64
10982c3849f2...2b.exe
windows10-2004-x64
10a5ef532105...7b.exe
windows10-2004-x64
10a96e6df3c0...de.exe
windows10-2004-x64
10ba6bca4989...71.exe
windows10-2004-x64
10bad97858db...8e.exe
windows10-2004-x64
10bcce7883f8...a7.exe
windows7-x64
10bcce7883f8...a7.exe
windows10-2004-x64
10cfb7a03bea...b3.exe
windows10-2004-x64
10f446c909f1...3f.exe
windows10-2004-x64
10f8f22cd34c...16.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
06f3c929bab6bc6923c8d8bcc94bb40374b50fbcd1c5bb74105608664f303c53.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1a0bfd97a460f55b1fc7e0dce89496b0041a7a6e39a4429ca0e9d48b03a50c9c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
1a180e910531bba2f707949af207f2fdc8ce9073f7ac314168ae29b53eedd8fe.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
1c5289e7e618b13af020062e6a741d58a9f93e862fe8f04fa08d33b6e2ace50b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
32ca200f348780ce8d89e1c2b2a59df856ec7ce7657e7807dc4330e092222baa.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3aa025ea78f4c4f22121974ca9750d5a185b237e08bdbb6226487f9b7182e85d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3bcf19ad48db781a2c873e68aa933f623915c3a94ae76b3b8bb367d1d4b90e5c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
6b10f19a8c69f2455a53b070f335d6251772e99efec94e5ada48b7464cae5a42.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
8b1c0f6d0e624fbcd937c3ccc23b673ab7072ccc0339934effd7d6d64916b2f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
a5ef5321052ab836215111e00811fcd41cd3e3b3786bda1ed7edece97cba6a7b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
ba6bca4989ecb1792e703ed9fe411faf649a4dcb4d05d319ac2678201fd51871.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
bcce7883f84c054a7e0e31d30fae77ecd28c2dc7149f36958b01440bf0334ea7.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
bcce7883f84c054a7e0e31d30fae77ecd28c2dc7149f36958b01440bf0334ea7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
f446c909f19842f14d9643227c64f29a129aefa05bfd1800cdf1d9231454083f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916.exe
Resource
win10v2004-20240426-en
General
-
Target
a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe
-
Size
609KB
-
MD5
61bd17a21335a48a02b95ab76ded1909
-
SHA1
759a7145c9c489f1d48b7c349455af480ab1a176
-
SHA256
a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede
-
SHA512
d92813d7ad7ec1c6eba3d41c39c7e73474554fb9cda136dde1d4fe4fd7d878a78193e8bb7d6ab6da5d0cb00cc81afd35a48920ec4fd2d413c20e477cd7425c94
-
SSDEEP
12288:3MrGy90NavpHis6vvFice4mMr2Lz/l/xMJD6:9ynRCsYFicjP2vy6
Malware Config
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral14/files/0x0008000000023458-19.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral14/files/0x0007000000023459-22.dat family_redline behavioral14/memory/4324-24-0x00000000004B0000-0x00000000004E0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1728 y2518186.exe 2240 y3678289.exe 3824 m4094971.exe 4324 n8080157.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y2518186.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y3678289.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2952 wrote to memory of 1728 2952 a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe 84 PID 2952 wrote to memory of 1728 2952 a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe 84 PID 2952 wrote to memory of 1728 2952 a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe 84 PID 1728 wrote to memory of 2240 1728 y2518186.exe 85 PID 1728 wrote to memory of 2240 1728 y2518186.exe 85 PID 1728 wrote to memory of 2240 1728 y2518186.exe 85 PID 2240 wrote to memory of 3824 2240 y3678289.exe 86 PID 2240 wrote to memory of 3824 2240 y3678289.exe 86 PID 2240 wrote to memory of 3824 2240 y3678289.exe 86 PID 2240 wrote to memory of 4324 2240 y3678289.exe 87 PID 2240 wrote to memory of 4324 2240 y3678289.exe 87 PID 2240 wrote to memory of 4324 2240 y3678289.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe"C:\Users\Admin\AppData\Local\Temp\a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2518186.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2518186.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3678289.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3678289.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4094971.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4094971.exe4⤵
- Executes dropped EXE
PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8080157.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8080157.exe4⤵
- Executes dropped EXE
PID:4324
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507KB
MD5c40c056f0d7964921b53a25c614c7fa5
SHA1114889349ef6f94f26d44c7dbbe9bf6100df87c1
SHA256cbcd7bc65eed58b02618e59d276b71cb4b52c55218d0fc2893c41bcfd0ba6520
SHA512b6a858c71035e282510461ab5b09d9c58eabcefda481995fc414327f0eec87db85b27ec59b81fe537864fc2a3b0300efffa61623dbe91950541eee234cfa8db5
-
Filesize
271KB
MD5c2905272e8eb1993bdfc36156e41dacc
SHA1757c4741ec0384b0d7161ac9840df133cdd12c68
SHA256ad9ab4843f45d124a5e587b4abb25c8505c15c55d8814b56920e5695d4873785
SHA512822838386ed5fac0b2988d33c612c2e23f1675f4aff3c315d8084b3f762a36361c498e22e4e05f45639bbc06feda6b8a5bef4f932405299509c785978e7d5900
-
Filesize
140KB
MD555065b4c99e52d6d9d159763c9defa0c
SHA14dd26ef3272cc61d27e24f6951b5a1c171a3d5b7
SHA25682408e34939641ffe7e499adf8aabcda56173c890f1373dae24733068752cfa9
SHA512fa06c2d918c0c50a6172e9d0a7b24df13da44c4b4c274c726a3f78b420f343cdf3dc68c110f78a043a4f613dee83f907b244abf37e8b4f82e66ccf99fdc7c701
-
Filesize
176KB
MD5ddb244e9f36fe72ca98af93f27ccca45
SHA172364a4213d5492380f74f58da65510b99f9bcda
SHA2566c03f21a333324a8b8f7b5534d05695e4ff8f7e8e1c2f55aad403fb0d95135de
SHA5123e98bccf37ada4a8bf24c84b73fcea3effe1733eb53a4eda540ab1da0a661a93d9866703b2e98d8dcc25c689b54767d8d1f0d085c21656b2e33106f796f3b3b6