Overview
overview
10Static
static
30805913f50...13.exe
windows10-2004-x64
1011eba51293...3a.exe
windows10-2004-x64
1017a0568b20...3a.exe
windows10-2004-x64
10346c46bc82...26.exe
windows10-2004-x64
104867af9d5d...1f.exe
windows10-2004-x64
105f2f269e1f...9a.exe
windows10-2004-x64
1064e73ef21d...a1.exe
windows10-2004-x64
107c556f6f80...61.exe
windows10-2004-x64
108c970cc94c...d3.exe
windows10-2004-x64
109296923f57...24.exe
windows10-2004-x64
10ae96a881fd...69.exe
windows10-2004-x64
10b150b2b6ed...d5.exe
windows10-2004-x64
10c1b0ce286b...51.exe
windows10-2004-x64
10c1d1b117a2...35.exe
windows10-2004-x64
10d876400b35...04.exe
windows10-2004-x64
10eb3bd6af82...52.exe
windows10-2004-x64
10eb7c2e9dc2...28.exe
windows10-2004-x64
10ed2eb0d5dc...bf.exe
windows10-2004-x64
10fc2a396813...13.exe
windows10-2004-x64
10fd4ce916b7...90.exe
windows10-2004-x64
10Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:47
Static task
static1
Behavioral task
behavioral1
Sample
0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
8c970cc94c6aab0b503af6d60e60f5c6c870576c82be9233ab884894899a97d3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
ae96a881fddd0471c5a462a0b27848d72c34ba866c6061e0f84ab3a1097a7a69.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
eb7c2e9dc2416d5168ea11cdee85ea662e4aa32921edbe521787e1a7dcc79228.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
fc2a3968133c3c96ae55dfdd56ca5b4dd51ed30658a98d55193b96e1533f4013.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe
Resource
win10v2004-20240508-en
General
-
Target
17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe
-
Size
604KB
-
MD5
4a49f25c21c373471295f4badcee8cd5
-
SHA1
dc1871d02c5f5af9ae2a0e24ff0c1cce6ef48b58
-
SHA256
17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a
-
SHA512
95261235a51c77f85d1751907cea517529a9bc6179af76ab2c494ff2f702cf265f8bee8fb60b74ab7bb8094432fa9572bed065078a133480ff3c93069347d69c
-
SSDEEP
12288:hMray90lso2v9t6ehpXEtFyGjjCYfHGp1Pu5UJK6PYwqbPa3Vr:vySX2v9t6lyGmm5UE6PYPbSB
Malware Config
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detect Mystic stealer payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exe mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exe family_redline behavioral3/memory/4064-24-0x0000000000830000-0x0000000000860000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
y9132069.exey5858526.exem4249757.exen7689082.exepid process 2364 y9132069.exe 2268 y5858526.exe 3928 m4249757.exe 4064 n7689082.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exey9132069.exey5858526.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y9132069.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y5858526.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exey9132069.exey5858526.exedescription pid process target process PID 2324 wrote to memory of 2364 2324 17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe y9132069.exe PID 2324 wrote to memory of 2364 2324 17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe y9132069.exe PID 2324 wrote to memory of 2364 2324 17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe y9132069.exe PID 2364 wrote to memory of 2268 2364 y9132069.exe y5858526.exe PID 2364 wrote to memory of 2268 2364 y9132069.exe y5858526.exe PID 2364 wrote to memory of 2268 2364 y9132069.exe y5858526.exe PID 2268 wrote to memory of 3928 2268 y5858526.exe m4249757.exe PID 2268 wrote to memory of 3928 2268 y5858526.exe m4249757.exe PID 2268 wrote to memory of 3928 2268 y5858526.exe m4249757.exe PID 2268 wrote to memory of 4064 2268 y5858526.exe n7689082.exe PID 2268 wrote to memory of 4064 2268 y5858526.exe n7689082.exe PID 2268 wrote to memory of 4064 2268 y5858526.exe n7689082.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe"C:\Users\Admin\AppData\Local\Temp\17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9132069.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9132069.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5858526.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5858526.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exe4⤵
- Executes dropped EXE
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exe4⤵
- Executes dropped EXE
PID:4064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD525e3bca86360bf2bb73c7b70061a59c3
SHA11cd97c06a7ccbc2358b98d0bf3af621e908f7e6f
SHA256647ada02fb7f8a8a7faba9d10d2f777fc67b996528ff6d71abf8a2ea0b834dae
SHA51227d057942d932005dbfd0ff1a6858e498745213bc180826d72350bc7d0d81845f5620deff3451e821d4dd1646ad4bc5d0b339dd2500f82a30ee64e60ab200ddb
-
Filesize
271KB
MD5139bb4edad53da946c1a60ea71f03baf
SHA159849c83d51d256c2754887d285639bc8573a643
SHA25605eaf997c36b1e89bff34628335e547b0a9aa8f25865630ee05eeb9bacc07c72
SHA51222d9b28876fac7d48aaf5fd8e6bdc494acedf510a8bd740a3c85e5ae127148029bb358247c99186f30d4980af4d4f82ad131e74bc42ca38fd469c4a64879805f
-
Filesize
140KB
MD5c8f4393642b24557d6017f13187f9aae
SHA1e0a1c6a30b6e231d058203ad23c3e0c354280a86
SHA256b89c878c7ef7437c591d3879e7f3d78e9219551ad031f749efed6776df808061
SHA512b42e05231ff54ca16b8d0c5cc88fa9884895d72f987ab8b150e76a6504c62b4c73c6cda84f2a2a78d1d5a529b4b1454a8b527988d227b4daa472af88585982f0
-
Filesize
176KB
MD5f47c0c4e7087bbf69b4cfca759c3d415
SHA1c330561512ff8cb20054fca477262fa3484294af
SHA256a53d48e6d0b462026a551feb3535a1a8c76fb0f8a6b482a384e59b1a470ed172
SHA51229d033c7de833ea20f26ef701681f13ea41a12d00f65a91ed742f3ebb19467ab49fda47ee4c19e89a166566a12a8dab1f533f306271578d9dd5324104fc55176