Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:04

General

  • Target

    11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a.exe

  • Size

    609KB

  • MD5

    703253f6264bc91569813f4a823cd21a

  • SHA1

    6631769e1f66e381737de8b3c2fdd6ab066e9e57

  • SHA256

    11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a

  • SHA512

    b41b64fe7c5ff95253e8b1130b19fbc330a87559dd1dda8df1ee265dcb0c2fe5ec07d2e493db360c09c3ba67b0bd79e412dee1157f25a9ea6187e01364fb6645

  • SSDEEP

    12288:EMruy90TI/OchkT+nMNtFyGjtCVfbyt5YyQc3kpU36vaMfxcwRKQP2:CyAoHh9nwyP+t2Q3QJPJV2

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a.exe
    "C:\Users\Admin\AppData\Local\Temp\11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4855231.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4855231.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9263511.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9263511.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1052235.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1052235.exe
          4⤵
          • Executes dropped EXE
          PID:4396
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0792271.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0792271.exe
          4⤵
          • Executes dropped EXE
          PID:1948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4855231.exe

    Filesize

    507KB

    MD5

    3373c5d8b1f687ab401206c1c335dd4d

    SHA1

    8f5b9dd51b22bb7fa06c4d16c0e9b4d0895b4022

    SHA256

    8d4849f856d252681ffcf6d02ff1b2a6d31ec025d2582b996264f1970bb80119

    SHA512

    136a3a81085c381192e40d704cd8653280fa7d7a73d07742899d15f2a743489cf172c656bd8b00a06f0f2861d4282ec0a9b23d86322118c343fc69848edbcb18

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9263511.exe

    Filesize

    271KB

    MD5

    e877af69a780ca7c733364045db42a0a

    SHA1

    41110ddc03bee1884838f7d978440864d76f5bb7

    SHA256

    04e594844e2a7ad51cdd5e6bf418408d2bb4155c37b1412a9c638e3b46bfb77e

    SHA512

    807ed6885da744e33c90a80989e704b04739193f98e8af708ef41a02e81912a6e1b5b8fc38b4a66472eb212dcc28d22e7bcb751ac341b19d3970312061e3b109

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1052235.exe

    Filesize

    140KB

    MD5

    b02c4110090218d1e37a3e10a9299d55

    SHA1

    99145089f3d1fef98445e14d9809a61f4493419a

    SHA256

    4848b2f3bfab7de12b28a82f5cd66186d2fdfd3e4e499a2de962db359ff0e835

    SHA512

    1ff80a5c4b3c8a2840eb8eae4382c5f0dba2a345e4472c7ff9ad8ee83acb3bf95d5db0075c2bbe41aeeb5612a646340ab06c8e59c2511450ce05f132ce9dfdcf

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0792271.exe

    Filesize

    176KB

    MD5

    9c8285c0b2b2816526132a39efcd24f5

    SHA1

    6753bf330f50334499c3aefacfdf05cf9898281d

    SHA256

    ff89907e38299a4701f901fcf624e2196e0ae2bc3d5a064e0aad74d1ce9efc5d

    SHA512

    33e5b23ecd0d5f4e29ef338b34fb92715a2ef7ffbef2b826f91d2fd047333c10104e2050a76d501d1faa7a702ecb4a86c905da8aa96593bc1d6aa7cb47bf86de

  • memory/1948-24-0x00000000009B0000-0x00000000009E0000-memory.dmp

    Filesize

    192KB

  • memory/1948-25-0x0000000002C60000-0x0000000002C66000-memory.dmp

    Filesize

    24KB

  • memory/1948-26-0x00000000058F0000-0x0000000005F08000-memory.dmp

    Filesize

    6.1MB

  • memory/1948-27-0x0000000005400000-0x000000000550A000-memory.dmp

    Filesize

    1.0MB

  • memory/1948-28-0x0000000005330000-0x0000000005342000-memory.dmp

    Filesize

    72KB

  • memory/1948-29-0x0000000005390000-0x00000000053CC000-memory.dmp

    Filesize

    240KB

  • memory/1948-30-0x0000000005510000-0x000000000555C000-memory.dmp

    Filesize

    304KB