Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:55

General

  • Target

    45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe

  • Size

    755KB

  • MD5

    a8fcd15d6414b6c08115a5e60be61b25

  • SHA1

    830a5c4f18c0367b4670f93b8453b0db062bb1a1

  • SHA256

    45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291

  • SHA512

    b7fc5d3eba1a930a4bd10f66dc0fbce764e699590bbc401bd4332ab665db0bf5b0c057b2f6ede46bad0d23faea64700a203cc869030b9bbbfdd6852b3e6db321

  • SSDEEP

    12288:SMrMy90Di0caFI+xNOWU1lllt3m/S9nBu8sUYItU0chSrVBRXqO:iyIiPaB0lPMS9nKItrTJ

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe
    "C:\Users\Admin\AppData\Local\Temp\45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ft5ab1zh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ft5ab1zh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:412
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1on91Ip6.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1on91Ip6.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3296
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 544
              5⤵
              • Program crash
              PID:4876
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2dX334Ae.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2dX334Ae.exe
          3⤵
          • Executes dropped EXE
          PID:2220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3296 -ip 3296
      1⤵
        PID:1988

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ft5ab1zh.exe

        Filesize

        559KB

        MD5

        abfa4785861a2e62c3d362993ca7f501

        SHA1

        ba33c215b9b085a98b7143ce490dff4d311805ac

        SHA256

        547e7ab64c28ee91628ba4ac75deb684cfa2fc9127ab1e6d94aff515e17d85ca

        SHA512

        7d38763c675e6223159af2ef18c5ba25b627fb8365b40617f53f58dbcc39f7ac10995546a08cc596d33a6609889023500927d468811906559309c2e2d09d7814

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1on91Ip6.exe

        Filesize

        1.0MB

        MD5

        27b6c5100365f96dcffe11b39171419d

        SHA1

        5fcbfdba53e3cb3650fac1aa74d10766c95ec203

        SHA256

        e3e693f95250d7a51c844f5789c94161ccbcfe753c99f8c25a967c1454aaa4ad

        SHA512

        01f8b0de97d3157e38c2e31e280afe54292308f97787d988ea6b745225d6dcdb06ba69fba7c848ddb9df56ecf105fe7a1325f908c34208cd7039184fb3e27ffe

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2dX334Ae.exe

        Filesize

        222KB

        MD5

        9cd5de8e5b8a765d86c0e4dcc45e463d

        SHA1

        0836c9d35bbc08eb3018207a01243d48cbb863d7

        SHA256

        81e314a10696926ade8773ee064777c6eb1bf38538d77a03bdada808d175297b

        SHA512

        eb95187480036417e53cf8a07fe66b6d63faa499ab17728cb61ea9f5c45b26e0c9f9dd4d0bda6c6cc453847fae87e568f31252d5f0e11efd4f67d57a1573a66c

      • memory/2220-27-0x0000000007670000-0x000000000777A000-memory.dmp

        Filesize

        1.0MB

      • memory/2220-22-0x00000000004A0000-0x00000000004DE000-memory.dmp

        Filesize

        248KB

      • memory/2220-23-0x00000000078B0000-0x0000000007E54000-memory.dmp

        Filesize

        5.6MB

      • memory/2220-24-0x00000000073A0000-0x0000000007432000-memory.dmp

        Filesize

        584KB

      • memory/2220-25-0x0000000004950000-0x000000000495A000-memory.dmp

        Filesize

        40KB

      • memory/2220-26-0x0000000008480000-0x0000000008A98000-memory.dmp

        Filesize

        6.1MB

      • memory/2220-28-0x00000000075A0000-0x00000000075B2000-memory.dmp

        Filesize

        72KB

      • memory/2220-29-0x0000000007600000-0x000000000763C000-memory.dmp

        Filesize

        240KB

      • memory/2220-30-0x0000000007780000-0x00000000077CC000-memory.dmp

        Filesize

        304KB

      • memory/3296-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3296-14-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3296-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3296-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB