Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:40

General

  • Target

    a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe

  • Size

    609KB

  • MD5

    61bd17a21335a48a02b95ab76ded1909

  • SHA1

    759a7145c9c489f1d48b7c349455af480ab1a176

  • SHA256

    a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede

  • SHA512

    d92813d7ad7ec1c6eba3d41c39c7e73474554fb9cda136dde1d4fe4fd7d878a78193e8bb7d6ab6da5d0cb00cc81afd35a48920ec4fd2d413c20e477cd7425c94

  • SSDEEP

    12288:3MrGy90NavpHis6vvFice4mMr2Lz/l/xMJD6:9ynRCsYFicjP2vy6

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe
    "C:\Users\Admin\AppData\Local\Temp\a96e6df3c0e345fa518723f36c81521d2f056b19754c4bbd84cdd3c90347eede.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2518186.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2518186.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3678289.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3678289.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4094971.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4094971.exe
          4⤵
          • Executes dropped EXE
          PID:3824
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8080157.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8080157.exe
          4⤵
          • Executes dropped EXE
          PID:4324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2518186.exe

    Filesize

    507KB

    MD5

    c40c056f0d7964921b53a25c614c7fa5

    SHA1

    114889349ef6f94f26d44c7dbbe9bf6100df87c1

    SHA256

    cbcd7bc65eed58b02618e59d276b71cb4b52c55218d0fc2893c41bcfd0ba6520

    SHA512

    b6a858c71035e282510461ab5b09d9c58eabcefda481995fc414327f0eec87db85b27ec59b81fe537864fc2a3b0300efffa61623dbe91950541eee234cfa8db5

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3678289.exe

    Filesize

    271KB

    MD5

    c2905272e8eb1993bdfc36156e41dacc

    SHA1

    757c4741ec0384b0d7161ac9840df133cdd12c68

    SHA256

    ad9ab4843f45d124a5e587b4abb25c8505c15c55d8814b56920e5695d4873785

    SHA512

    822838386ed5fac0b2988d33c612c2e23f1675f4aff3c315d8084b3f762a36361c498e22e4e05f45639bbc06feda6b8a5bef4f932405299509c785978e7d5900

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4094971.exe

    Filesize

    140KB

    MD5

    55065b4c99e52d6d9d159763c9defa0c

    SHA1

    4dd26ef3272cc61d27e24f6951b5a1c171a3d5b7

    SHA256

    82408e34939641ffe7e499adf8aabcda56173c890f1373dae24733068752cfa9

    SHA512

    fa06c2d918c0c50a6172e9d0a7b24df13da44c4b4c274c726a3f78b420f343cdf3dc68c110f78a043a4f613dee83f907b244abf37e8b4f82e66ccf99fdc7c701

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8080157.exe

    Filesize

    176KB

    MD5

    ddb244e9f36fe72ca98af93f27ccca45

    SHA1

    72364a4213d5492380f74f58da65510b99f9bcda

    SHA256

    6c03f21a333324a8b8f7b5534d05695e4ff8f7e8e1c2f55aad403fb0d95135de

    SHA512

    3e98bccf37ada4a8bf24c84b73fcea3effe1733eb53a4eda540ab1da0a661a93d9866703b2e98d8dcc25c689b54767d8d1f0d085c21656b2e33106f796f3b3b6

  • memory/4324-24-0x00000000004B0000-0x00000000004E0000-memory.dmp

    Filesize

    192KB

  • memory/4324-25-0x00000000029C0000-0x00000000029C6000-memory.dmp

    Filesize

    24KB

  • memory/4324-26-0x0000000005640000-0x0000000005C58000-memory.dmp

    Filesize

    6.1MB

  • memory/4324-27-0x0000000005130000-0x000000000523A000-memory.dmp

    Filesize

    1.0MB

  • memory/4324-28-0x0000000002A10000-0x0000000002A22000-memory.dmp

    Filesize

    72KB

  • memory/4324-29-0x0000000004FD0000-0x000000000500C000-memory.dmp

    Filesize

    240KB

  • memory/4324-30-0x0000000005020000-0x000000000506C000-memory.dmp

    Filesize

    304KB