Overview
overview
10Static
static
301f1d397ee...7e.exe
windows10-2004-x64
10061d4b3cae...c3.exe
windows10-2004-x64
101510cb1a4f...7d.exe
windows10-2004-x64
1018c958ac25...40.exe
windows10-2004-x64
101ae5f47f1c...e8.exe
windows10-2004-x64
1027768bc448...de.exe
windows10-2004-x64
1032de0993bc...1e.exe
windows10-2004-x64
104758300458...ca.exe
windows10-2004-x64
1058fadac014...99.exe
windows10-2004-x64
105bcb59af1e...c1.exe
windows10-2004-x64
106e55f3939c...05.exe
windows10-2004-x64
107974488bc6...15.exe
windows10-2004-x64
10835316bac6...9f.exe
windows10-2004-x64
109e24511e4a...1c.exe
windows10-2004-x64
10a9634fd1ba...2f.exe
windows10-2004-x64
10c1f424012a...97.exe
windows10-2004-x64
10d73983a055...6c.exe
windows10-2004-x64
10d7acd7c73c...c4.exe
windows10-2004-x64
10e7a1c6bd3a...74.exe
windows10-2004-x64
10e9a8b4bb4d...42.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 19:04
Static task
static1
Behavioral task
behavioral1
Sample
01f1d397eef76f3dd4c0d5121d6596a6ff410ea7e8fe3ebd913d701f9928557e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
061d4b3cae1ba072bfa6849a31d62afd811d04b5a2eabddc17081e56f1701cc3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1510cb1a4ff1f8027f8f81a2905978b60e40fed8901c2f4c5e99e35801083d7d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
18c958ac2546c1661c9e22160d98271416eb758de547c310b4383874d4384f40.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
1ae5f47f1c4c38ae30421b7b2d3551cc7678aa01afe0501ade7019fa35f63be8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
27768bc4484847752b8e6b935f4d0a7c52af11184186bd7e6297fb761bebcbde.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
47583004588b256f019d58b713a937997ecef0edd4d8392a3f8836dedd537bca.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
58fadac0148f4700691a27abba4e41a0df870120ca131083c61a9404cf59cd99.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
5bcb59af1e8fdc9fb69507e4637417a278a508a73a46fcb1cb6472bf434d61c1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
7974488bc67afaac8d23b7341dc9f5768ae9f7551986b8176038e4384fade015.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
835316bac6a8889d99c5d6d8e4efcab2f58dca79af1177a540dfd6310524959f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
9e24511e4ae502d0fa4c07e62872ab93857f9a90cc4305ad201c665bb7dabb1c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
a9634fd1ba8044a7eab6578eb584c6d9fb03ce50d998b0cd9babf4950e75e22f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
c1f424012a2d01ca458f9aa1aee9cfff75d79a0d7398ed9d13463a386f0c9297.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
d73983a05531434ce8059cbecd66902874ebb8b890a3d571cf7d1a5b9808c76c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d7acd7c73cc74a8d699adc50bd3fd6a4f7a58beba960ec5bd429c4ad058a65c4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e7a1c6bd3aba15347d3f975781da052144282ff4be210a7d47fa919718a09d74.exe
Resource
win10v2004-20240508-en
General
-
Target
6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe
-
Size
604KB
-
MD5
59dce709730f2f2ade77ccbf09dbfdc3
-
SHA1
faff86182c2b5610795196c4e42c1ff3bf5c1bb4
-
SHA256
6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05
-
SHA512
2df0843fafdfaf2db5adf8c195ba9c2eac261baa19eb7dfa6add046bba2a260298becd9185d367e2bfc363abc69ff2115f803a51665cadcd40185cb6c7af4cbb
-
SSDEEP
12288:wMrgy90uzPFjPfRl6Ki8tBpNAol1+4p8pC49FN5z0NfUMHOKCjw:Ay3FjRIKim7N54gAV9FN10NfrH
Malware Config
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral11/files/0x0008000000023447-20.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral11/files/0x0007000000023448-22.dat family_redline behavioral11/memory/4400-24-0x0000000000690000-0x00000000006C0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1260 y5788019.exe 216 y4634208.exe 1412 m1036678.exe 4400 n3568974.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y5788019.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y4634208.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3696 wrote to memory of 1260 3696 6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe 84 PID 3696 wrote to memory of 1260 3696 6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe 84 PID 3696 wrote to memory of 1260 3696 6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe 84 PID 1260 wrote to memory of 216 1260 y5788019.exe 85 PID 1260 wrote to memory of 216 1260 y5788019.exe 85 PID 1260 wrote to memory of 216 1260 y5788019.exe 85 PID 216 wrote to memory of 1412 216 y4634208.exe 86 PID 216 wrote to memory of 1412 216 y4634208.exe 86 PID 216 wrote to memory of 1412 216 y4634208.exe 86 PID 216 wrote to memory of 4400 216 y4634208.exe 87 PID 216 wrote to memory of 4400 216 y4634208.exe 87 PID 216 wrote to memory of 4400 216 y4634208.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe"C:\Users\Admin\AppData\Local\Temp\6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5788019.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5788019.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4634208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4634208.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1036678.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1036678.exe4⤵
- Executes dropped EXE
PID:1412
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3568974.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3568974.exe4⤵
- Executes dropped EXE
PID:4400
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD53e21ea6c80d9c720ea5b62d89b7ab10b
SHA12691f92f733b116623aa02823f9f809096f9540b
SHA256118e3ec6483f72e11d958d743dfaad85256c2d0979cf5dec69acefaaabcd8f89
SHA512e0ddf0ccc4aec49baedbae4d70c2221cb1710abcb2b68590d1556dde8af2e572e0b239e709fbeb420125d05b7703f044c7f0a2c4260c2e6e2cd7324492bcea32
-
Filesize
271KB
MD5e9b6528a6b965e8d92f0fa46552ecf45
SHA1319155ac387f08654617820a9b3656683156fff1
SHA2562b0f74b1ca041661d51022359cd7d75a9f10e9652874e983cab634726cc4acaf
SHA51220a1f20560b1a8d8180abe73ea44dcd9108ca602239ba0ec666664c9f655db0a44e1a71cdb21e04b7e45e60adf2429f8f73953f2d07fa0b8c28d183f0e19d3a4
-
Filesize
140KB
MD5d6c2a76c484668ec452d03e2fa65f73d
SHA14d32b2a66c866d5d7e4a585bc84500229e72c138
SHA256da95aa77c1722b526ffd21b41c9df600eda6e0cecf6e905d301d3f9ad2b2bc70
SHA512d39f65f35744c64b6c770c4661831b40805dcea2f266da32e25903f72f010682d18ca30df2906e8a1f864ff6489b9b5256e4f44ccc9f0916d85ce7cc7018d1e3
-
Filesize
176KB
MD5ab799ac1c1738d1fe08c9883a4f50946
SHA159b75561f2e5e7a48b6cbf16cec2a56a47972851
SHA25693b8bc8a7de2c6b6f17eaf32d7da670b91c6f5484380ac0bb5ebb189536e196a
SHA5120617e340056cfa0db616029e224a9ba8a2429efabc3958de2ad43b186ba67e4066db55271eb50a5d052a43c2b92c028231682d1e36778902b4f0cde9352fd70b