Overview

overview

10

Static

static

3

1b7cbee30e...8d.exe

windows10-2004-x64

10

1cb2277eea...2a.exe

windows10-2004-x64

10

26dae86d00...a2.exe

windows10-2004-x64

10

35cd974b16...ec.exe

windows10-2004-x64

10

45e7028a78...91.exe

windows10-2004-x64

10

4cd2f124df...48.exe

windows10-2004-x64

10

5fdef2b38d...0a.exe

windows10-2004-x64

10

7284e9e031...c7.exe

windows10-2004-x64

10

781c022afd...54.exe

windows10-2004-x64

10

84163f9b0d...a5.exe

windows10-2004-x64

10

90251e43cd...e4.exe

windows10-2004-x64

10

9a3023ff33...37.exe

windows10-2004-x64

10

b4b999d8f3...50.exe

windows7-x64

10

b4b999d8f3...50.exe

windows10-2004-x64

10

bdd93956fe...8b.exe

windows10-2004-x64

10

cf840721c0...70.exe

windows10-2004-x64

10

e52fb58b8a...f1.exe

windows10-2004-x64

10

ecfbac56ff...9e.exe

windows10-2004-x64

10

f0f492b9b0...9a.exe

windows10-2004-x64

10

f921df4c23...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d.exe

  • Size

    571KB

  • MD5

    9333ac50afdfd0f4841ce14109290cb0

  • SHA1

    4b87ae7a51fd402f57eec512302336848dda5efc

  • SHA256

    f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d

  • SHA512

    8a1ac62aaf5531a95a1cbb2496b60b86c50e7b406483db0fcfe35ea910c2a5a726de4374507d8aee76eb07d67bd8b6d188d56c866c2657b9c4d71835b2e99c03

  • SSDEEP

    12288:3MrPy90PkK06Ds5RF6ImOxhgnLHNKLvFtzNyd:UyKp06Ds5RiOb3HzId

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d.exe
    "C:\Users\Admin\AppData\Local\Temp\f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1hU59RW6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1hU59RW6.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1596
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 540
            4⤵
            • Program crash
            PID:4736
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Oz172KQ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Oz172KQ.exe
        2⤵
        • Executes dropped EXE
        PID:4900
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1596 -ip 1596
      1⤵
        PID:4160

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1hU59RW6.exe
        Filesize

        1.1MB

        MD5

        0c332b116b3b9c3e373137d227f9274b

        SHA1

        bd1d8bdb2d66ae6f322515a322a012311a8932c7

        SHA256

        8df8445ea37afc6e4bb34bb9a3ddc0445cc6621f8a353829f63a9864411202c8

        SHA512

        925e9e0e38f80f3279f7e4cd411c3d9835df8964868b6ac40348cfadbfc64239054a81a1449b9985482cf847ca2f68d3743bd83323af7bd551ecf11b86a18abe

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Oz172KQ.exe
        Filesize

        223KB

        MD5

        df52490a04237bd429a7a0949f030ffd

        SHA1

        d53f765cee7c2245f799b29a829abdc5a75b4a7c

        SHA256

        f17e56d3dda97d462609b3e69cbf0e40961e077862e9b820d802a2e6121de82f

        SHA512

        5fccb362059338ad0b4eeb20fe551d8e85463a6e6e136612cb37b44a983a546e0cb4febb2b0ba105795624edd2fdcaee46ba41238d2bd3fa81bfcaf3ce5ca94a

        Download Submit
      • memory/1596-7-0x0000000000400000-0x0000000000432000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1596-9-0x0000000000400000-0x0000000000432000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1596-8-0x0000000000400000-0x0000000000432000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1596-11-0x0000000000400000-0x0000000000432000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4900-17-0x0000000008290000-0x0000000008834000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4900-16-0x0000000000E20000-0x0000000000E5E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/4900-15-0x000000007402E000-0x000000007402F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4900-18-0x0000000007D80000-0x0000000007E12000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4900-19-0x0000000003170000-0x000000000317A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4900-20-0x0000000074020000-0x00000000747D0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4900-21-0x0000000008E60000-0x0000000009478000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/4900-22-0x0000000008110000-0x000000000821A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/4900-23-0x0000000007F10000-0x0000000007F22000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4900-24-0x0000000007F70000-0x0000000007FAC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/4900-25-0x0000000008000000-0x000000000804C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4900-26-0x000000007402E000-0x000000007402F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4900-27-0x0000000074020000-0x00000000747D0000-memory.dmp
        Filesize

        7.7MB

        Download