Overview
overview
10Static
static
30805913f50...13.exe
windows10-2004-x64
1011eba51293...3a.exe
windows10-2004-x64
1017a0568b20...3a.exe
windows10-2004-x64
10346c46bc82...26.exe
windows10-2004-x64
104867af9d5d...1f.exe
windows10-2004-x64
105f2f269e1f...9a.exe
windows10-2004-x64
1064e73ef21d...a1.exe
windows10-2004-x64
107c556f6f80...61.exe
windows10-2004-x64
108c970cc94c...d3.exe
windows10-2004-x64
109296923f57...24.exe
windows10-2004-x64
10ae96a881fd...69.exe
windows10-2004-x64
10b150b2b6ed...d5.exe
windows10-2004-x64
10c1b0ce286b...51.exe
windows10-2004-x64
10c1d1b117a2...35.exe
windows10-2004-x64
10d876400b35...04.exe
windows10-2004-x64
10eb3bd6af82...52.exe
windows10-2004-x64
10eb7c2e9dc2...28.exe
windows10-2004-x64
10ed2eb0d5dc...bf.exe
windows10-2004-x64
10fc2a396813...13.exe
windows10-2004-x64
10fd4ce916b7...90.exe
windows10-2004-x64
10Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:47
Static task
static1
Behavioral task
behavioral1
Sample
0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
8c970cc94c6aab0b503af6d60e60f5c6c870576c82be9233ab884894899a97d3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
ae96a881fddd0471c5a462a0b27848d72c34ba866c6061e0f84ab3a1097a7a69.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
eb7c2e9dc2416d5168ea11cdee85ea662e4aa32921edbe521787e1a7dcc79228.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
fc2a3968133c3c96ae55dfdd56ca5b4dd51ed30658a98d55193b96e1533f4013.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe
Resource
win10v2004-20240508-en
General
-
Target
64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
-
Size
563KB
-
MD5
b1cad70cea703c95c6bf90d74c4bfd89
-
SHA1
1a08e9ad7c417a5011915ccda1a1ec130cd7d3ac
-
SHA256
64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1
-
SHA512
4f7c7367da4b3009f5f1691832f88de0a7df9103ba16ff43c92fb3d0eec813005a6f6f31e0b3853b2ce07e2d5c9d0be331f1e60bed9bf8f3b3ebcbcab9a4b2de
-
SSDEEP
12288:KMrxy90uoiqvTegFhHXzNOI+74h82WRiHJ1CVVVV:nyKEgXHDNn+487Ry4VV
Malware Config
Extracted
redline
kendo
77.91.124.82:19071
-
auth_value
5a22a881561d49941415902859b51f14
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral7/memory/2668-14-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral7/memory/2668-15-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral7/memory/2668-18-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral7/memory/2668-16-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral7/files/0x0007000000023559-20.dat family_redline behavioral7/memory/4624-22-0x00000000006D0000-0x0000000000700000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 2892 x5112215.exe 2856 g1240082.exe 4624 h7567252.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5112215.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2856 set thread context of 2668 2856 g1240082.exe 95 -
Program crash 2 IoCs
pid pid_target Process procid_target 5044 2668 WerFault.exe 95 1196 2856 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2892 2200 64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe 90 PID 2200 wrote to memory of 2892 2200 64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe 90 PID 2200 wrote to memory of 2892 2200 64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe 90 PID 2892 wrote to memory of 2856 2892 x5112215.exe 91 PID 2892 wrote to memory of 2856 2892 x5112215.exe 91 PID 2892 wrote to memory of 2856 2892 x5112215.exe 91 PID 2856 wrote to memory of 4460 2856 g1240082.exe 94 PID 2856 wrote to memory of 4460 2856 g1240082.exe 94 PID 2856 wrote to memory of 4460 2856 g1240082.exe 94 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2856 wrote to memory of 2668 2856 g1240082.exe 95 PID 2892 wrote to memory of 4624 2892 x5112215.exe 102 PID 2892 wrote to memory of 4624 2892 x5112215.exe 102 PID 2892 wrote to memory of 4624 2892 x5112215.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe"C:\Users\Admin\AppData\Local\Temp\64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5112215.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1240082.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 5405⤵
- Program crash
PID:5044
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 5884⤵
- Program crash
PID:1196
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7567252.exe3⤵
- Executes dropped EXE
PID:4624
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2856 -ip 28561⤵PID:4508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2668 -ip 26681⤵PID:4108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:81⤵PID:4968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
397KB
MD5b2df6c5958efbdbc123148c627bb41d3
SHA1fee833e9d20ba95a4fcad101b661315c65c0a4da
SHA256101390dd16f1eac4157fdecbec16f38454803a89cf0599bfeef301bc6f0ca7a9
SHA512a584aeae7d51d998e6a3f4803863b1aa7c867b5a6db90a64318ab8ceb5db54233b165394e324f52e0a0296ef35cb216a72a82be632f41c9963d698d3b3a0fec9
-
Filesize
379KB
MD5d5cf94dd77a8375c5145e566609bb0c9
SHA1ae8dba7cb8ebf33368aab97ec5f150831fd40823
SHA256b36053dda1b1c85bde6a04a395a6e5b08d76298beaa32183eaed4b9d26787ba1
SHA5121dffe0772e113fb38515755d4f3fb5938e24698bc26efccc38547e8f08c4673b7e7dd2c26f4af628c7c1745d41f59d26a0f269062638b9ec1ec60a5daf2dec00
-
Filesize
174KB
MD58e1c9385ea1a727897547ab26f729562
SHA152e8c50fded14c4b40a303af8b2e730d8ea40879
SHA2562abb2c0b109b138ffbdd22abdb8921dca6790eabf870405bd491c4194d34ec07
SHA512b5f60aab2c3f7ed632adebf5f71a77b3606df9da283219b965151d99e9173d4e2d02eb8d0ea514f13ff7c9f5e44ecb6325d8f7b24ee7b0c67dc707dd19a8778f